rtfm Documentation · CHAPTER 1 Contents 1.1Python 1.1.1Setting up a new Python project date 18...

rtfm DocumentationRelease 0.0a0.post0.dev144+ng4fb6122

Derek

May 28, 2016

Contents

1 Contents 31.1 Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.4 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.5 Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881.6 System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261.7 Software Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301.8 Data Structures and Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1641.9 Artificial Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1731.10 Computer Science Mathematics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1781.11 License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1981.12 Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2091.13 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2091.14 rtfm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

2 Indices and tables 213

Python Module Index 215

i

rtfm Documentation, Release 0.0a0.post0.dev144+ng4fb6122

These are notes to future me.

I have in the past written many notes on various topics that I wish I still had. So here I am going to write my noteson computer science, programming, system administration, cryptography and system security. I will also include asmuch working example code as possible in contrast to examples that have not been tested.

I strongly believe in the „Hackerethik“ and think it was best summarized by the CCC (Chaos Computer Club):

• Access to computers – and anything which might teach you something about the way the world really works –should be unlimited and total. Always yield to the Hands-On Imperative!

• All information should be free.

• Mistrust authority – promote decentralization.

• Hackers should be judged by their acting, not bogus criteria such as degrees, age, race, or position.

• You can create art and beauty on a computer.

• Computers can change your life for the better.

• Don’t litter other people’s data.

• Make public data available, protect private data.

In keeping with my opinion on the first and second points, it would only make sense if I published my notes publiclysince I am version controlling them anyway. I hope that they may be useful to someone, and if you happen to bereading and notice something wrong in code or notes feel free to submit an issue. Or if you would like to contribute afix or elaboration on a topic feel free to get in contact with me. My contact info can be found under Authors.

Warning: The information here has no guarantee of being correct. It ranges from things I have documented formyself because documentation was sparce or not to my liking, to notes from classes some of which may be rushed.Also some topics may be incomplete, I do not currently intend on waiting for a topic to be complete to publish.

Contents 1

https://tree.taiga.io/project/datenstrom-rtfm/issues?page=1


2 Contents

CHAPTER 1

Contents

1.1 Python

1.1.1 Setting up a new Python project

date 18 December, 2015

Introduction

When starting a new project a new project it is no fun waisting time writing a setup.py or mucking about withdirectory structure. Using the tools pyscaffold and virtualenv a python development environment can quickly besetup.

tl;dr

sudo apt-get install python pippip install pycaffold virtualenvpip install virtualenvmkdir ~/.virtualenvmkdir ~/.virtualenv/my_projectvirtualenv my_project --python=python3.4source ~/.virtualenv/my_project/bin/activatecd ~/path/to/my/workspacepyscaffold putup my_projectcd my_projectvim setup.cfgvim requirements.txtvim docs/conf.py

3


virtualenv

1.2 Java

1.2.1 Class Design

Interface Completeness

For an ADT (Abstract Data Type) interface to be complete it must contain all the operations required to implement theapplication, and anything that will be needed in the near future. This can be determined by looking at the requirements.It is also important to look for overly complicated code that could be significantly simplified by adding new functions.

Function Redundancy and Generalization

There should not be code redundancies that make a class harder to maintain, generalization should be applied whereverpossible.

Meaningful Names

Names should be taken from within the aplication domain. They should make sense to even non-programmers thatunderstand the domain of the application, even when they do not understand how the program works. For exampleconsider:

class Spaceship {

public:std::string getIdentifier();

};

This does not make a sense to someone who works with spacecraft, it is also ambiguous because there are multipleidentifiers for spacecraft.

class Spaceship {

public:std::string getTailNumber();std::string getSideNumber();

};

This is much better, with the usually formal international tail number and informal inter-organization side numberanyone who has worked within the aplication domain will understand what they are and they are unambiguous.

Pre-Conditions and Assumptions

A pre-condition is something that a person calling a function needs to know about and check to make sure it is truebefore they call the function, otherwise the function will fail in some way. It is considered the obligation of the caller tomake sure that meaningful input is provided to the function they call so it must be documented to ensure they are awareof exactly what meaningful input is, they can not be expected to do so if they do not know about the pre-conditions.

Java has assert statements similar to the ones in C++ however, Java disables assertions by default which is the oppositeof C++ and they must be enabled with the -ea option when executing a program.

4 Chapter 1. Contents


Public class Day {

public Day(int year, int month, int day) {assert(year > 1500);assert(month > 0 && month <= 12);assert(day > 0 && day <= 31);

}

...}

Also just as with C++ running a program with asserts will reduce the robustness.

Data Members

Members should be encapsulated private data to provide information hiding. Attributes should be accessed and modi-fied using get/set member functions.

Determine where it makes sense to group attributes together.

Constructor

Every constructor should initialize every data member and the default just as with C++.

clone() Function

A standardized part of the Java API.

class C {

...

public Object clone() {...}

...

}

Or with inheritance:

public abstractclass A implements Cloneable {

...}

publicclass B extends A {

...

public Object clone() {

return new B();}

1.2. Java 5


...}

equals() and hashCOde() Functions

Like C++ libraries assume the availability of == and < to support many of its data structures, Java libraries assumeequals() and hashCode(). equals() should compare two objects to see if they have the same value unlike ==in Java which compares two objects to see if they are in fact at the same address.

public class Book () {

public Book () {

ISBN = new String();

...}

...

public boolean equals(Object right) {

Book b = (Book)right;return ISBN.equals(b.ISBN);

}

...

public int hashCode() {

return 7 * ISBN.hashCOde();}

}

Collisions are rare but possible.

toString() Function

Used to convert an object to a string representation, most I/O classes read/write strings and debuggers may make useof it to display values.

public class Book () {

public Book () {

ISBN = new String();authorName = new String();titel = new String();

...}

public String toString() {

return "'" + title.toString() + "' by " + authorName.toString();}



...

private String authorName;private String title;private String ISBN;

}

1.2.2 ood

1.2.3 Java Snippets

toString() and clone()

import java.util.Scanner;

public class Composite extends Polyhedron {

private Polyhedron[] polyhedra;

Composite(){

super("Composite");

polyhedra = null;}

Composite(Composite src){

super("Composite");

if(src.polyhedra == null) {polyhedra = null;

} else {

polyhedra = new Polyhedron[src.polyhedra.length];

int i = 0;for (Polyhedron p : src.polyhedra) {

if (p != null) {polyhedra[i] = p.clone();boundingBox.merge(p.getBoundingBox());i++;

}}

}}

public void read(Scanner scanner){

int numPolyhedra = scanner.nextInt();

polyhedra = new Polyhedron[numPolyhedra];

for (int i = 0; i < polyhedra.length; i++) {polyhedra[i] = Polyhedron.createAndRead(scanner);

1.2. Java 7


boundingBox.merge(polyhedra[i].getBoundingBox());}

}

public Polyhedron clone(){

return new Composite(this);}

public void scale(double scalingFactor){

boundingBox.scale(scalingFactor);if(polyhedra != null) {

for (Polyhedron p : polyhedra) {if(p != null) {

p.scale(scalingFactor);}

}}

}

public String toString(){

StringBuilder bld = new StringBuilder();

bld.append(super.toString());

bld.append(polyhedra.length);bld.append(" polyhedra");

if(polyhedra != null) {for(Polyhedron p : polyhedra) {

if(p != null) {bld.append("\n ");bld.append(p.toString());

}}bld.append("\n");

}

return bld.toString();}

}

1.2.4 Basics

Pointers

Primitieves are familiar

• int

• long

• float

• double



Variables behave as expected and the following will print “x=3 y=2”:

int x = 2;int y = x;x++;System.out.println ("x=" + x + " y=" + y);

But everything else is a pointer, and the following will print “p.x = 2 w.x=2”:

void foo(java.awt.Point p) {

p.x = 1;java.awt.Point w = p;w.x = 2;System.out.println ("p.x=" + p.x + " w.x=" + w.x);

}

This is because p and w are references (pointers) so the statement:

java.awt.Point w = p;

Causes w to point to the same value that p does. Because all new class variables are really pointers they have to becreated on the heap:

Point p = new Point(1,2);

The == Operator

It works as expected on primitives

int x = 23;int y = 23;if (x==y)

But for class objects == is comparing addresses the equals() function must be used.

Class Inheritance

Slight sintax change from C++

class NumericValue extends Value {}

In Java if not explicitly inheriting from another class, then it will implicitly inherit from java.lang.Object.

Cloneable signals that a class has a working clone() function otherwise Object.clone() will throw anexception.

package java.lang;

public interface Cloneable {

public Object clone();}

1.2. Java 9


1.3 C++

1.3.1 Class Design

Interface Completeness

For an ADT interface to be complete it must contain all the operations required to implement the application, andanything that will be needed in the near future. This can be determined by looking at the requirements. It is alsoimportant to look for overly complicated code that could be significantly simplified by adding new functions.

Function Redundancy and Generalization

There should not be code redundancies that make a class harder to maintain, generalization should be applied whereverpossible.

Meaningful Names

Names should be taken from within the aplication domain. They should make sense to even non-programmers thatunderstand the domain of the application, even when they do not understand how the program works. For exampleconsider:

class Spaceship {

public:std::string getIdentifier();

};

This does not make a sense to someone who works with spacecraft, it is also ambiguous because there are multipleidentifiers for spacecraft.

class Spaceship {

public:std::string getTailNumber();std::string getSideNumber();

};

This is much better, with the usually formal international tail number and informal inter-organization side numberanyone who has worked within the aplication domain will understand what they are and they are unambiguous.

Pre-Conditions and Assumptions

A pre-condition is something that a person calling a function needs to know about and check to make sure it is truebefore they call the function, otherwise the function will fail in some way. It is considered the obligation of the caller tomake sure that meaningful input is provided to the function they call so it must be documented to ensure they are awareof exactly what meaningful input is, they can not be expected to do so if they do not know about the pre-conditions.

Pre-conditions should also “guarded” with asserts, and are by definition boolean expressions. The assert statementscan also be ignored by using a compiler flag.

#include "spaceship.hpp"#include <cassert>

Spaceship::attackTarget(Target t) {



assert(isEnemy(t));

// attack}

However, this may unfavorably impact the robustness of the code, recovering from errors if possible should be thepreferred method. With pre-conditions though, they are used to document things that should have never happenedin the first place, in this case a Spaceship should only be allowed to target enemy craft, making friendly fireimpossible. If this was not guarded and happened in game because it was ignored there would be some angry players.Hiding bugs leads to incorrect output, corruption of files and database, and other problems.

Data Members

Members should be encapsulated private data to provide information hiding. Attributes should be accessed and modi-fied using get/set member functions.

Determine where it makes sense to group attributes together.

Constructor

Every constructor should initialize every data member and the default constructor should be properly treated. Options:

1. Compiler generated version is acceptable.

2. Write your own.

3. No default is ok.

4. Other code should not construct objects of the ADT, so it is private.

Initializer List

Can initialize any data member, must be used to initialize:

• Constants

• References

• Members of classes that have no default constructor

A default constructor should always be written.

The compiler generated default constructor:

• Initialized each data member using their types default constructor.

• For primitive types int, double, pointers, arrays, and so on it only allocates memory.

• Works with compiler generated default constructor:

– Declare an instance

– Declare an array of instances

– Inheritance

– Pass by value

– Pass by reference

1.3. C++ 11


• Will break with compiler generated default constructor:

– Constant data members can not be initialized, they must be initialized within an initialization list. Thecode will not even compile.

– Pointers, if it is not initialized to null it is a dangling pointer.

– Whatever garbage in memory where space is allocated for primitive data types will be left as is which canalso lead to other strange errors.

The Big 3

Important: If you provide your own version of any of the Big 3, you should provide your own version of all 3.

1. Copy Constructor

2. Assignment Operator

3. Destructor

Choices:

1. The compiler version is ok for all 3

2. Provide a version of all 3

3. Copying of the ADT will not be allowed

4. Provide private versions of the copy and assignment operators so the compiler will not provide public ones, butno one will be able to use them.

The compiler versions are wrong when:

• Copy Constructor: Shallow-Copy is inappropriate for the ADT

• Assignment Operator: Shallow-Copy is inappropriate for the ADT

• Destructor: The ADT manages memory that needs to be released after it is no longer needed.

• The ADT has pointers as data members, and the objects that are pointed to are not to be shared.

Assignment Operator

Assignment operators should handle self-assignment. If not guarded it can break things.

myShip = myShip;

Clone

Worth considering for inheritance and factory model.

== and <

These are never generated by the compiler implicitly, they must be provided. Reasons to provide them:

• Often required to put objects into data structures

• Required for sorting



• Often used in testing

Output Routine

Even if not required for the operation of the application one should be provided. If nothing else it is useful for testing,debugging, and logging.

Const Correctness

This helps to make the operation of the code easier to understand, and may also allow the compiler to generate moreefficient code. The compiler can also detect possible mistakes using the information.

1. Every formal function parameter that will not be changed by the function is either passed by copy or as a constreference.

• Pass by copy: Will change only the copy of the parameter.

• Pass by constant reference: Will only look at the parameter but not change it.

2. Every member function that does not alter the object it is applied to is declared as a const member.

class Spaceship {

public:double distanceFrom(Target t);

private:double x;double y;double z;

};

Note here that this is implicitly passed also, which would be written explicitly in Python as self. Getting thedistance from a target to print on the HUD (Heads up Display) should not affect the Target or the Spaceship, sothey should both be protected.

class Spaceship {

public:double distanceFrom(const Target& t) const;

private:double x;double y;double z;

};

Here const Target& t protects the target parameter from being changed by the call, and the cost appended atthe end protects *this.

1.3.2 ood

Inheritance

Inheritance and subtyping are combined:

• A base class is always a superclass

1.3. C++ 13


• An inheriting class is always a subclass

• A superclass is always a base class

• A subclass is always an inheriting class

types

Three types important to understanding inheritance in C++,

• Value: Dynamic binding cannot take place, destroys inheritance.

– int

– char

– double

– bool

• Reference: Points to a block of memory permanently. Allows inheritance because it is a memory address.

– int&

– char&

– double&

• Pointer: Memory address can be changed. Allows inheritance because it is a memory address.

– int*

– char*

– double*

Note: The same holds for the const modifier applied to each.

Protected Members

Data members marked as protected are accessible to inheriting classes but private to all other classes.

Overriding Functions

A subclass may either inherit the function body from the superclass or overide it by providing its own body.

Abstract Base Classes

class Set {...virtual Set& add (int) = 0;...

};

Here the = 0 denotes that no method exists in this class for implementing this message and it is called an abstractmember function. An abstract class or pure virtual class in C++ is any class that:



• Contains an = 0 annotation on a member function

• Inherits such a function and does not provide a method for it

In C++ abstract classes have limitations designed to make sure they are used safely.

• You cannot construct an object whose type is an abstract class

• You cannot declare function parameters of an abstract class type when passing parameters “by copy.” But youcan pass pointers/references to the abstract class type.

Multiple Inheritance

Is allowed.

Snippet

class c : public Super {; // stuff

};

Inheritance Issues

Even if you override a function the inherited bodies are still available. This may be usefull for example by using baseclass constructors so subclasses only need to initialize their own new data members. Inheritance of data members isachieved by treating all new members as extensions of the base class.

When the compiler processes data member declarations it assigns a byte offset to each and inherited members willalways occur at the smae byte offset as the base class. This ensure that a call like base->data will translate thesame if it is a base class or subtype.

Virtual Destructors

Subclasses can add new data members, including pointers. Consider:

Shape* s1 = new Square(size);Square* s2 = new Square(size);

delete s1; // ~Shape() is calleddelete s2; // ~Square() is called

Here both calls use compile-time binding, and the first delete will leak memory if Square has data on the heap.The fix would seem to be to force dynamic binding on the destructors, this must be done at the top of the inhritancehierarchy.

class Shape {

public:virtual ~Shape();

...};

1.3. C++ 15


Virtual Assignment

Virtual Assignment can be tricky to do because assignment and copying may behave differnetly and also inheritedmembers might not be what is expected. Subclasses will have multiple overloaded assignment operators, and in orderfor it to work both virtual and normal operaters will need to be implemented, and implementation of the virtual onecan be tricky because you might not end up with what you want on the right and side.

There is currently no unified oppinion in the C++ community about virtual assignment.

Virtual Constructors

Constructors can never be virtual, it can lead to problems when copying. Instead we use a simulated “virtual construc-tor” usually called clone() or copy().

clone() must be supported by all values and each subclass of Shape implements clone() as a copy constructionpassed to new.

Dynamic Binding

We can choose between compile-time and dynamic binding.

Virtual Functions

• A non-inherited function member is subject to dynamic binding if its declaration is preceded by the wordvirtual.

• An inherited function member is subject to dynamic binding if that member in the base class is subject todynamic binding.

• Using the word virtual in subclasses is optional (but recommended for clarity).

Declaring a function as virtual gives programmers permission to call it by dynamic binding, but not all calls willbe resolved that way.

• x.foo(), where x is an object, is bound at compile time

• x.foo(), where x is a reference, is bound at run-time (dynamic)

• x->{foo()}, where x is a pointer, is bound at run-time (dynamic)

1.3.3 C++ Snippets

Stream Insertion Operator

The output operator is usually provided as a wrapper for a display function but can also be done as a friend function.This is because if operator<< or operator>> is defined as a member function it defines the low-level bit shiftoperators instead.

Listing 1.1: day.hpp

class Day {

public:Day();



Day(const int d);~Day();

void display(std::ostream &outs) const;int getDay() const;

private:const int day;

}

inlinestd::ostream& operator<<(std::ostream &outs, const Day &prt) {

prt.display(outs);return outs;

}

Listing 1.2: day.cpp

void Day::display(std::ostream &outs) const {outs << this->day;

}

1.4 Cryptography

“Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if theyjust tried, they could invent a cipher that no one could break.”

—David Kahn, in The Codebreakers

1.4.1 History of Cryptography

date 2 February, 2016

“we say again deliberately that human ingenuity cannot concoct a cypher which human ingenuity cannotresolve.”

—Edgar Allen Poe

Cryptanalysis

Classical Attacks

• Brute Force: Black box, just observe input and output.

• Analytical Attacks: White box such as frequency analysis.

Modern Attacks

• Social Engineering

• Implementation Attacks

• Differential Analysis

1.4. Cryptography 17


• Meet-in-the-middle

It is sometimes wrongly stated that implementation attacks are only a concern if physical access to the device maybe had by attackers, and that if attackers will not be able to perform such attacks using remote systems. Such remoteattacks have been performed under many different circumstances such as an attack was carried out with cellphonesensors 1 and also a keylogger that uses the acceleromiter of a compromised phone that could be placed next to a targetdevice keyboard 2.

Required Knowledge for Attacks

Type of Attack Known to CryptanalystCiphertext Only

• Encryption Algorithm.• Ciphertext to be decoded.

Known Plaintext• Encryption Algorithm.• Ciphertext to be decoded.• One or more plaintext-ciphertext pairs formed

with the secret key.

Chosen Plaintext• Encryption Algorithm.• Ciphertext to be decoded.• Plaintext message chosen by cryptanalyst & its

corresponding ciphertext.

Chosen Ciphertext• Encryption Algorithm.• Ciphertext to be decoded.• Ciphertext chosen by cryptanalyst, and its de-

crypted plaintext.

Chosen Text• Encryption Algorithm.• Ciphertext to be decoded.• Plaintext chosen by cryptanalyst, and the corre-

sponding ciphertext.• Ciphertext chosen by cryptanalyst, and the corre-

sponding plaintext.

Ciphers

Historical Ciphers

Scytale A Spartan encryption scheme. Used a message written on a strip of leather that could be wrapped aroundsticks of different diameters which would reveal the message.

1 Although this attack was carried out with a cellphone it is entierly possible this could be achieved with a microphone connected to a computerthat has been compromised over a network. http://www.it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu

2 It would even be possible to target specific phones of people known to use said computer. Also the general insecure nature of phones increasesthe probability of success; however, this attack is hindered by the fact that most high value targets will have security measures to counter this suchas not allowing cell phones in secure areas. http://www.cc.gatech.edu/traynor/papers/traynor-ccs11.pdf


http://www.it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu

http://www.it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu

http://www.cc.gatech.edu/traynor/papers/traynor-ccs11.pdf


Ceasar-Cipher (Shift Cipher) Two possible attacks:

• Frequency Analysis

• Brute force, only 26 possible keys

Each letter of the alphabet is simply shifted by a fixed amount. For the mathematical nature of this we will use the setZ26, note that the key is also in the set Z26.

Let 𝑥, 𝑦, 𝑘 ∈ Z26

Encryption: 𝑒𝑘(𝑥) ≡ 𝑥 + 𝑘 mod 26

Decryption: 𝑑𝑘(𝑦) ≡ 𝑦 − 𝑘 mod 26

Mono-Alphabet Substitution Cipher One possible attack:


• Brute force much more costly with 26! possible keys.

Affine Cipher The key space is only a bit larger than in the case of the shift cipher:

key space = (#values for 𝑎) × (#values for 𝑏

12 × 26 = 312

Two possible attacks:


• Brute Force, only 312 keys

Let 𝑥, 𝑦, 𝑎, 𝑏 ∈ Z26

Encryption: 𝑒𝑘(𝑥) = 𝑦 ≡ 𝑎 · 𝑥 + 𝑏 mod 26

Decryption: 𝑑𝑘(𝑦) = 𝑥 ≡ 𝑎−1 · (𝑦 − 𝑏) mod 26

with the key: 𝑘 = (𝑎, 𝑏), which has the restriction: 𝑔𝑐𝑑(𝑎, 26) = 1

Modern Ciphers

Modern Symmetric Ciphers

Data Encryption Standard (DES (Data Encryption Standard))

• 1974 Proposed by IBM with input from NSA

• 1977 to 1998 was a US standard (required for government networks)

• Best studied cypher in the world

• Insecure today (key too short)

• 3DES is very secure

• Encrypts 8 bytes (64 bits) at a time

• Key size is 56 bits

• Uses 16 rounds that all perform the same operation



• Different sub-key derived from main key for each round

• People wanted to know where the S-box came from, and were worried that IBM or the NSA created it with aback door. The creators of RSA found a way to fundamentally break DES (Differential Cryptanalysis). Thestructure of the S-Box had been chosen in a specific way to prevent the use of this attack, the NSA and IBMknew of this attack 18 years before the research community.

Shannon: Defined two atomic operations of a block cipher:

• Confusion: relation between plain text and cypher text is hidden.

• Diffusion: The influence of one of each plaintext bit is spread over many cyphertext bits.

Product Cypher: Combine confusion and diffusion many times to build a strong block cypher.

DES Replacement Algorithms AES (Rijndael): Defacto world standard block cypher. Secure and fast, no patents.Not very small in hardware.

3DES: DES encrypted 3 times with 3 different keys. Still very secure, and small in hardware.

AES-Finalists: 4 ciphers, all very secure

1. MARS

2. RC6

3. Twofish

4. Serpent

RC4 RC4 is a stream cipher most notably used in the terribly flawed WEP (Wired Equivalent Privacy) wirelesssecurity standard, although the reason for the insecurity of WEP was the implementation which re-used InitializationVectors. Unlike (more) modern stream ciphers RC4 does not use a nonce IV along with the input to prevent relatedand repeated key attacks.

• Implementation

– Initialization

* Set values of 256-element vector 𝑆 by their index.

* Set a temp vector of length 256 with the first key length elements of Key.

* Swapping 𝑆 elements to have another permutation of vector 𝑆 using the temp vector.

– Stream Generation, providing different permutations of 𝑆 as the output.

• Security

– Easy to implement

– Fast in software

– Very susceptible to related and non-random key attacks

– RFC 7465 prohibits the use of RC4 in all versions of TLS.

– As of 2015 attacks on RC4 in TLS are feasible.

– RC4 is to be disabled by all major browsers in 2016.

– Many attacks exist

– Still theoretically secure under very, very specific circumstances


https://tools.ietf.org/html/rfc7465.html


Advanced Encryption Standard (AES (Advanced Encryption Standard))

• 1997, Call for AES by NIST (National Institute of Standards and Technology)

• 1998, 15 algorithm submissions

• 1999, Reduced to 5 finalist algorithms

– Rijndal

– MARS

– RC6

– Twofish

– Serpent

• 2000, Rijndal was chosen as the AES

Modern Asymmetric Ciphers There are only three algorithms for public-key-cryptography in widespread use.

1. RSA

• Invented in 1977 by Rivest, Shamii, Adleman

• Invention triggered by a 1976 paper by Diffie and Hellman

• Most popular PK crypto-system

• Patented in the USA until 2000

1.4.2 Mathematics of Cryptography


“You can’t hide secrets from the future with math. You can try, but I bet that in the future they laugh atthe half-assed schemes and algorithms amassed to enforce cryptographs in the past.”

—MC Frontalot

Modular arithmetic

Due to the nature of how computers store numbers, eventually large enough numbers will wrap around. When there isoverflow the result is found using the modulo operation:

Let 𝑎, 𝑟,𝑚 ∈ Z | 𝑚 > 0

𝑎 ≡ 𝑟 mod 𝑚

If 𝑚 divides 𝑎− 𝑟, 𝑚 is called the modulus and 𝑟 is called the remainder.

Computing the Remainder

Where 𝑞 is quotient:

𝑎 ∈ Z | 𝑎 = 𝑞 ·𝑚 + 𝑟

Note that 𝑎− 𝑟 = 𝑞 ·𝑚 which gives 𝑎 ≡ 𝑟 mod 𝑚, for example:

𝑎 = 42, 𝑚 = 9



How many times does 9 divide into 42?

𝑞 = 4, 𝑟 = 642 = 4 · 9 + 6

Check:

42 − 6 = 4 · 9 → 36 = 4 · 9, 9|36 X

The Remainder is not Unique

For every modulus 𝑚 and number 𝑎 there are an infinite number of valid remainders. For example:

42 = 3 · 9 + 15

Check:

42 − 15 = 3 · 9 → 27 = 3 · 9, 9|27 X

There is a system to this called Equivalance Classes for example:

𝑎 = 12, 𝑚 = 5

12 ≡ 2 mod 5 5|(12 − 2) X

12 ≡ 7 mod 5 5|(12 − 7) X

12 ≡ −3 mod 5 5|(12 + 3) X

{...− 8,−3, 2, 7, 12, 17, ...}

This infinite set forms an equivalence class modulo 5. All members of the class behave equivalent modulo 5.

List of all equivalence classes modulo 5 1:

𝐴 = {...,−10,−5, 0, 5, 10...}𝐵 = {...,−9,−4, 1, 6, 11, ...}𝐶 = {...,−8,−3, 2, 7, 12, ...}𝐷 = {...,−7,−2, 3, 8, 13, ...}𝐸 = {...,−6,−1, 4, 9, 14, ...}

All Members of an Equivalence Class Behave Equivalently

For a modulus 𝑚 we can choose the element from the class that provides the easiest computation. For example:

13 · 16 − 8 = 208 → 200 ≡ 0 mod 5

Now instead of doing arithmetic with the numbers use the sets 𝐴, 𝐵, 𝐶 ,𝐷, 𝐸.

𝐷 ·𝐵 −𝐷

Use whatever element from the class that provides the easiest arithmetic. However any will work.

3 · 1 − 3 = 0 → 0 ≡ 0 mod 5

8 · 6 − (−7) = 55 → 55 ≡ 0 mod 5

1 Note that an individual equivalence class does not satisfy the set of Z, however each set is infinite and shifted by one so the set of all equivalenceclasses for a given modulo 𝑚 does satisfy the set Z.



It is nearly always computationally advantageous to perform modulo reduction as soon as possible. The final result isalways the same no matter how many times we switch within the given classes.

Important: Very important application: There are two ways to solve the following problem.

38 mod 7 ≡ ?

1. the slow way:

38 = 6561 → 6561

76561 ≡ 2 mod 7

2. The easy way:

38 = 34 · 34 = 81 · 81

Now replace 81 with an equivalent member of it’s set from modulo 7. The easy way to do this is to simply reduce 81modulo 7.

81 mod 7 = 4 → 81 · 81 ≡ 4 · 4 = 16

16 ≡ 2 mod 7

Mod 2 Addition

An XOR gate has the same truth table as mod2 addition.

𝑥𝑖 𝑠𝑖 𝑦𝑖0 0 00 1 11 0 11 1 0

Proof:

𝑑(𝑦𝑖) ≡ 𝑦𝑖 + 𝑠𝑖 mod 2

≡ 𝑥𝑖 + 2𝑠𝑖 mod 2

≡ 𝑥𝑖 mod 2 𝑄𝐸𝐷

Two modulo two is zero therefore modulo two addition is exactly the same as modulo two subtraction. Properties ofnote that arise out of this property:

• A plain text 0 has an equal chance of producing a 0 or a 1, and likewise a plain text 1 has an equal chance ofproducing a 0 or a 1 2.

• When the key bit is 0, the plain text bit remains the same 3.

• When the key bit is 1, the plain text bit gets flipped 4.

2 Assuming 𝑠𝑖 or the corresponding key bit has an equal chance of being a 0 or a 1.3 If the bit is not flipped by the key on decryption it will not be on decryption.4 If the bit is flipped on encryption, it will be flipped back on decryption.



Integer Rings

The integer ring Z𝑚 consists of the set Z𝑚 = {0, 1, 2, ...,𝑚− 1} and the operations ‘+‘ and ‘×‘:

∀ 𝑎, 𝑏, 𝑐, 𝑑 ∈ Z𝑚 |𝑎 + 𝑏 ≡ 𝑐 mod 𝑚, (𝑐 ∈ Z𝑚) &

𝑎× 𝑑 ≡ 𝑑 mod 𝑚, (𝑑 ∈ Z𝑚)

For example:

Z9 = {0, 1, 2, 3, 4, 5, 6, 7, 8}6 + 9 = 14 ≡ 5 mod 9

6 × 8 = 48 ≡ 3 mod 9

Properties of Integer Rings:

• Adding and multiplying numbers always results in a number in the ring. The ring is closed.

• Addition and multiplication are associative.

• Zero is the neutral element with respect to addition. It always holds that 𝑎 + 0 ≡ 𝑎 mod 𝑚.

• The additive inverse always exists: ∀ 𝑎 ∈ Z𝑚 ∃ −𝑎 | 𝑎 + (−𝑎) ≡ 0 mod 𝑚.

• The multiplicative identity always exists: ∀ 𝑎 ∈ Z𝑚 ∃ 1 | 1 × 𝑎 ≡ 𝑎 mod 𝑚.

• The multiplicative inverse only exists for some elements: 𝑎 · 𝑎−1 ≡ 1 mod 𝑚.

• Finding an inverse can be hard, but finding out if one exists is easy 5.

• The distributive property holds as well.

Finite Fields

Very informally: A Field is a set of numbers in which we can add, subtract, multiply, and divide (invert).

Important: A field 𝐹 is a set of elements with the following properties:

• All elements of 𝐹 form an additive group with the group operation “+” and the neuteral element 0.

• All elements of 𝐹 except 0 form a multiplicative group with the group operation “×” and the neuteral element1.

• When the two group operations are mixed, the distributive law holds, i.e., ∀𝑎, 𝑏, 𝑐 ∈ 𝐹 : 𝑎(𝑏+𝑐) = (𝑎𝑏)+(𝑎𝑐).

In crypto we almost always need finite sets. Finite Fields only exist if they have 𝑝𝑚 elements where 𝑝 is a primenumber and 𝑚 is a positive integer. For example:

• There is a finite field with 11 elements (111) and it is called Galois Field 11 (GF11).

• There is a finite field with 81 elements (811) and it is called Galois Field 81 (GF81) = (𝐺𝐹34)

• There is a finite field with 256 elements (2561) and it is called Galois Field 81 (GF256) = (𝐺𝐹28).

Note: 2 is the smallest possible prime number, this is very important for cryptography in practice. The last Galois fieldis the Rem AES field.

Types of Finite Fields:

5 When 𝑔𝑐𝑑(𝑎, 𝑏) = 1 it is said that 𝑎 and 𝑏 are relatively prime or coprime. ∀ 𝑎 ∈ Z ∃ 𝑎−1 if and only if 𝑔𝑐𝑑(𝑎,𝑚) = 1.



1. GF(𝑝1): Referred to as a Prime Fields or GF(p), 𝑚 = 1

2. GF(𝑝𝑚): Referred to as Extension Fields, 𝑚 > 1

• Especially important in cryptography, GF(2𝑚)

Both types are very important to cryptography.

Additive and Multiplicative Inverses

Most of our math training (basic stuff, algebra, calc, stats, so on), deals with the real set of numbers. Things like ourfriends the counting numbers (1, 2, 3, ...), things like fractions ( 1

3 ,37 ,

115 , ...), and all their negative matches. If

you start dealing with electronic and electrical engineering, you run into imaginary numbers (things like√−1, phase

angles, so on). When you start looking at sets and mod functions, things are not like any of those any more. When youwrite equations in set and mod world, you use the same symbols as you would when talking about real numbers, butthe meaning is different. In set land, 𝐴−1 does not mean 1

𝐴 like in real land. The reason for the difference is that setland has a very limited set (hence the name) of values to choose from. The answer can only come from the membersof the set.

So, the additive inverse of 𝐴 in the set 𝑃 , has to satisfy the equation:

𝐴 + (−𝐴) = 0 mod 𝑃

Meaning that we have to go through all the members of the set 𝑃 and find a value that when added to 𝐴 and the modfunction is applied to the result returns a 0. (Play close attention to that order of operations, it is different than thingsin the real number world.)

The multiplicative inverse of 𝐴 in the set 𝑃 , has to satisfy the equation:

𝐴 ·𝐴−1 = 1 mod 𝑃

We do things in the same order as the additive inverse, in that we go through the set 𝑃 , multiply each member by 𝐴and take the mod of the result, looking for the first number that results in a 1 from the mod function. (There are a fewgotchas in there. Like if 𝐴 is 0, then there is not a solution to the equation. Also, if 𝐴 = 5 and 𝑃 = 10, then there isnot a solution.) Here is another way to write the equation(s) that might be a little more comfortable:

Additive inverse: (𝐴 + 𝐵) mod 𝑃 = 0

Multiplicative inverse: (𝐴 ·𝐵) mod 𝑃 = 1

All we did was substitute $B$ for the possibly confusing notation. The goal is still the same, find a value of 𝐵 thatmakes the equation work. There may not be a 𝐵. Repeating, the multiplicative inverse of 5 in 𝐺𝐹 (10) does not exist.

Summing it up, the words in the description (additive and multiplicative inverses, and so on) are the same in realnumbers, and sets. The symbols are the same in real and mod sets. The meanings change.

Prime Fields

The elements of a Prime Field GF(p) are the integers:

{0, 1, ... , 𝑝− 1}

Operations: +, −, ×, ÷

Let 𝑎, 𝑏 ∈ GF(𝑝) = {0, 1, ... , 𝑝− 1}𝑎 + 𝑏 ≡ 𝑐 mod 𝑝

𝑎− 𝑏 ≡ 𝑑 mod 𝑝

𝑎 · 𝑏 ≡ 𝑒 mod 𝑝



Inversion: ÷

𝑎 ∈ GF(𝑝)

Note: The inverse 𝑎−1 must satisfy 𝑎 · 𝑎−1 = 1 mod 𝑝

Can be computed with the Extended Euclidean Algorithm.

Field Widening in 𝐺𝐹 (2𝑚)

Element Representation

The elements of GF(2𝑚) are polynomials:

𝑎𝑚−1𝑥𝑚−1 + ... + 𝑎1𝑥 + 𝑎0 = 𝐴(𝑥) ∈ GF(2𝑚)

𝑎𝑖 ∈ GF(2) = {0, 1}

For example:

𝐴(𝑥) = 𝑎2𝑥2 + 𝑎1𝑥 + 𝑎0 = {𝑎2, 𝑎1, 𝑎0}

Note: each element is from the set {0, 1}. or can be one of two possible bits. With three bits we can represent 8elements.

GF(23) = {0, 1, 𝑥, (𝑥 + 1), (𝑥2), (𝑥2 + 1), (𝑥2 + 𝑥), (𝑥2 + 𝑥 + 1)}

Addition and Subtraction Use regular polynomial addition and subtraction, where the coefficients are computed inGF(2).

Important: Extension field addition and subtraction

Let 𝐴(𝑥), 𝐵(𝑥) ∈ GF(2𝑚)

The sum of the two elements is then computed according to:

𝐶(𝑥) = 𝐴(𝑥) + 𝐵(𝑥) =

𝑚−1∑︁𝑖=0

𝑐𝑖𝑥𝑖, 𝑐𝑖 ≡ 𝑎𝑖 + 𝑏𝑖 mod 2

and the difference is computed according to:

𝐶(𝑥) = 𝐴(𝑥) −𝐵(𝑥) =

𝑚−1∑︁𝑖=0

𝑐𝑖𝑥𝑖, 𝑐𝑖 ≡ 𝑎𝑖 − 𝑏𝑖 ≡ 𝑎𝑖 + 𝑏𝑖 mod 2

For example: GF(23)

𝐴(𝑥) = 𝑥2 + 𝑥 + 1

𝐵(𝑥) = 𝑥2 + 1

𝐴(𝑥) + 𝐵(𝑥) = 2𝑥2 + 𝑥 + 2 mod 2

0𝑥2 + 𝑥 + 0 = 𝑥

Addition and subtraction in GF(2) are the same operation.



Multiplication Modulo 2 reduction is not enough to keep the result in the Field, modulo reduction must be donewith a polynomial. The polynomial must “Behave like a prime” these are called irreducible polynomials.

Important: Extension field multiplication

mbox{Let }A(x), B(x):in:mbox{GF}(2^m)mbox{ and let}

P(x):equiv:sum_{i=0}^m p_ix^i,; p_i:in:mbox{GF}(2)

be an irreducible polynomial. Multiplication of the two elements 𝐴(𝑥) and 𝐵(𝑥) is performed as

C(x):equiv:A(x)cdot B(x)bmod P(x)

For example: GF(23)

𝐴(𝑥) ·𝐵(𝑥) = (𝑥2 + 𝑥 + 1)(𝑥2 + 1)

𝑥4 + 𝑥3 + 2𝑥2 + 𝑥 + 1

Irreducible Polynomial for GF(23):

𝑃 (𝑥) = 𝑥3 + 𝑥 + 1

𝐴(𝑥) ·𝐵(𝑥) mod 𝑃 (𝑥) =𝐴(𝑥) ·𝐵(𝑥)

𝑃 (𝑥)

𝑥4 + 𝑥3 + 𝑥 + 1

𝑥3 + 𝑥 + 1= (𝑥 + 1) Remainder 𝑥2 + 𝑥

𝐴(𝑥) ·𝐵(𝑥) mod 𝑃 (𝑥) ≡ 𝑥2 + 𝑥

For every Field GF(2𝑚) there are several irreducible polynomials. It is important in cryptography to use the same oneconsistently.

AES irreducible polynomial:

𝑃 (𝑥) = 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1

Inversion The inverse 𝐴−1(𝑥) where 𝐴(𝑥) ∈ 𝐺𝐹 (2𝑚) must satisfy

𝐴(𝑥) ·𝐴−1(𝑥) = 1 mod 𝑃 (𝑥)

Again we need an extended Euclidean Algorithm to find the inverse.

Euclidean algorithm

It finds the Greatest Common Denominator, or given 𝑟0, 𝑟1 finds gcd(𝑟0, 𝑟1).

𝑟0 = 27, 𝑟1 = 21

27 = 3 · 3 · 3

21 = 3 · 7

3 = gcd(27, 21)

This has one large drawback, it does not work with large numbers. They are too big to factor in any reasonable amountof time. The Euclidean Algorithm is much faster, and focuses on taking the large numbers and reducing them tosmaller numbers over and over until the problem is manageable.

gcd(𝑟0, 𝑟1) = gcd(𝑟0 mod 𝑟1, 𝑟1) = gcd(𝑟1, 𝑟0 mod 𝑟1)



𝑟0 = 27, 𝑟1 = 21

gcd(27, 21) = gcd(27 mod 21, 21) = gcd(6, 21)

gcd(21, 6) = gcd(21 mod 6, 6) = gcd(6, 3)

gcd(6, 3) = 3

Note that the base case is 𝑟0 mod 𝑟1 = 0 for the recursive definition.

𝑟0 = 973, 𝑟1 = 301

973 = 301 · 3 + 70

301 = 70 · 4 + 21

70 = 21 · 3 + 7

21 = 7 · 3 + 0

gcd(973, 301) = 7

On notation: each consecutive remainder calculated is 𝑟𝑖+1, and the gcd is the last remainder computed before thezero.

Extended Euclidean algorithm

Calculates gcd and finds coefficients 𝑠 and 𝑡. New notation 𝑞 is quotient.

gcd(𝑟0, 𝑟1) = 𝑠 · 𝑟0 + 𝑡 · 𝑟1

Compute regular Euclidean Algorithm:

gcd(𝑟0, 𝑟1) → 𝑟0 = 𝑞1𝑟1 + 𝑟2 → 𝑟2 = 𝑠2𝑟0 + 𝑡2𝑟1

gcd(𝑟1, 𝑟2) → 𝑟1 = 𝑞2𝑟2 + 𝑟3 → 𝑟3 = 𝑠3𝑟0 + 𝑡3𝑟1

Note that 𝑠 and 𝑡 continue to be defined in terms of the original inputs.

gcd(𝑟𝑙−2, 𝑟𝑙−1) → 𝑟𝑙−2 = 𝑞𝑙−1𝑟𝑙−1 + 𝑟𝑙 → 𝑟𝑙 = 𝑠𝑙𝑟0 + 𝑡𝑙𝑟1

Note that 𝑟𝑙 is the gcd and the next calculation would be the base case with a remainder of 0. For the EuclideanAlgorithm to become the Extended Euclidean Algorithm you just need a way to compute 𝑠 and 𝑡.

𝑟0 = 973, 𝑟1 = 301

gcd(973, 301) = 𝑠 · 973 + 𝑡 · 301 = 7

973 = 301 · 3 + 70 → 𝑟2 = 70 = 1 · (973) + −3 · (301)

Substitute the 70 with the line above:

301 = 70 · 4 + 21 → 𝑟3 = 21 = 301 − 4 · 70 = 301 − 4 · (973 − 3 · 301)

𝑟3 = −4 · (973) + 13 · (301)

Now we must go back two lines to solve:

70 = 21 · 3 + 7 → 𝑟4 = 70 − 3 · 21 = (973 − 3 · 301) − 3(−4 · 973 + 13 · 301)

𝑟4 = 13(973) + −42(301)

21 = 7 · 3 + 0

gcd(973, 301) = 𝑟4 = 13(973) + −42(301) = 7



Generalization:

𝑟𝑖−2 = 𝑠𝑖−2𝑟0 + 𝑡𝑖−2𝑟1

𝑟𝑖−1 = 𝑠𝑖−1𝑟0 + 𝑡𝑖−1𝑟1

Next iteration:

1. EA: 𝑟𝑖−2 = 𝑞𝑖−1𝑟𝑖−1 + 𝑟𝑖

• Rewrite as: 𝑟𝑖 = 𝑟𝑖−2 − 𝑞𝑖−1𝑟𝑖−1

• Note that 𝑟𝑖−1 and 𝑟𝑖−2 are from the lines above.

2. Substitute: 𝑟𝑖 = (𝑠𝑖−2𝑟0 + 𝑡𝑖−2𝑟1) − 𝑞𝑖−1(𝑠𝑖−1𝑟0 + 𝑡𝑖−1𝑟1)

3. Reorder: (𝑟𝑖 = 𝑠𝑖−2 − 𝑞𝑖−1𝑠𝑖−1)𝑟0 + (𝑡𝑖−2 − 𝑞𝑖−1𝑡𝑖−1)𝑟1

4. Solve terms: 𝑆𝑖𝑟0 + 𝑡𝑖𝑟1

Recursive formulae:

𝑠𝑖 = 𝑠𝑖−2 − 𝑞𝑖−1𝑠𝑖−1 ∀ 𝑖 ≥ 2

𝑡𝑖 = 𝑡𝑖−2 − 𝑞𝑖−1𝑡𝑖−1 ∀ 𝑖 ≥ 2

where: 𝑠0 = 1, 𝑠1 = 0, 𝑡0 = 0, 𝑡1 = 1

Main Application of the Extended Euclidean algorithm

Computing of inverses mod𝑛.

Problem:

𝑎−1 ≡ 𝑥 mod 𝑛

𝑎−1 · 𝑎 ≡ 1 mod 𝑛

gcd(𝑛, 𝑎) = 1 = 𝑠 · 𝑛 + 𝑡 · 𝑎(𝑠 · 𝑛 + 𝑡 · 𝑎 = 1) mod 𝑛

𝑡 · 𝑎 ≡ 1 mod 𝑛

𝑡 = 𝑎−1

The parameter 𝑡 of the EEA is the inverse of 𝑟1 mod 𝑟0, this enables division. This has the effect that division takesmuch more work than other operations.

Number Theory

Euclidean Phi Function Φ

Very important to RSA. In cryptography it is very common to see the following problem:

Z𝑚 = {0, 1, ...,𝑚− 1}gcd(0,𝑚) = 𝑚

gcd(1,𝑚) =

···

gcd(𝑚− 1,𝑚) =



The number of integers in Z𝑚 relatively prime to 𝑚 is denoted by Φ(𝑚).

𝑚 = 6

Z6 = {0, 1, 2, 3, 4, 5}gcd(0, 6) = 6

gcd(1, 6) = 1

gcd(2, 6) = 2

gcd(3, 6) = 3

gcd(4, 6) = 2

gcd(5, 6) = 1

Φ(6) = 2

Five and six are relatively prime, and the Φ function counts the number of integers that are relatively prime. It is verydifficult to calculate this for very large numbers. Calculating Φ(𝑛) for very large 𝑛:

𝑚 = 𝑝𝑒11 · 𝑝𝑒22 · ... · 𝑝𝑒𝑛𝑛

Where the 𝑃𝑖 are distinct prime numbers and 𝑒𝑖 are positive integers, Then:

Φ(𝑚) =

𝑛∏︁𝑖=1

(𝑝𝑒1𝑖 − 𝑝𝑒1𝑖 )

Example: 𝑚 = 240

𝑚 = 16 · 15 = 24 · 31 · 51

Φ(240) =

3∏︁𝑖=1

(𝑝𝑒𝑖𝑖 − 𝑝𝑒𝑖−1𝑖 )

(24 − 23)(31 − 30)(51 − 50)

8 · 2 · 4 = 64

Fermat’s Little Theorem

Let 𝑎 be an integer and 𝑝 be a prime, then:

𝑎𝑝 ≡ 𝑎 mod 𝑝

Euler’s Theorem

Let 𝑎 and 𝑚 be an integers with gcd(𝑎,𝑚) = 1, then:

𝑎Φ(𝑚) ≡ 1 mod 𝑚

Binary Exponentation (Square-and-Multiply)

In practice fast exponentiation is needed because of the very large numbers that are frequently used in cryptography.

For example:

𝑥4 = ?



Naïeve method: cost 3 multiplications

𝑥 · 𝑥 = 𝑥2

𝑥2 · 𝑥 = 𝑥3

𝑥3 · 𝑥 = 𝑥4

Better way: cost is 2 multiplications

𝑥 · 𝑥 = 𝑥2

𝑥2 · 𝑥2 = 𝑥4

For larger numbers you will find for example that 𝑥8 Naïeve costs 7 multiplications while the better way only costs3 multiplications. For much larger numbers this saves an extreme amount of calculations. For RSA 1024 bit theNaïeve method costs 21024 − 1 multiplications this will take far too long to calculate. The better way takes only 1024multiplications. This gives logarithmic complexity. Unfortunately this method is restricted to only powers of 2. Nowwe need a method for arbitrary numbers also for this to work.

The Algorithm For this method we combine multiplication and squaring in a specific order to obtain the targetvalue. First scan the exponent bits left to right, there are two things we do for each exponent bit.

1. In every iteration we square to left shift the bits.

2. We multiply by 𝑥 only if we need to flip a bit to a one.

Example:

𝑥26

Square: 𝑥 · 𝑥 = 𝑥2

Multiply: 𝑥 · 𝑥2 = 𝑥3

Square: 𝑥3 · 𝑥3 = 𝑥6

Square: 𝑥6 · 𝑥6 = 𝑥12

Multiply: 𝑥 · 𝑥12 = 𝑥13

Square: 𝑥13 · 𝑥13 = 𝑥26

The rule on how to decide when to multiply and when to square depends on the binary representation of the number.

𝑥11010(𝑥1)10 = 𝑥10𝑥1 · 𝑥10 = 𝑥11

Note that at this point the 11 exponent will be the first two bits of the target exponent. And for the next step, squaringa binary representation, it shifts the bits to the left.

𝑥1110 = 𝑥110𝑥11010 = 𝑥1100

Now we add again to flip the bit we want.

𝑥1100 · 𝑥1 = 𝑥1101

And one last binary shift to get the exponent we want.

𝑥110010 = 𝑥11010

Footnotes



1.4.3 Symmetric Cryptography


“The mathematical sciences particularly exhibit order, symmetry and limitation; and these are the greatestforms of the beautiful.”

—Aristotle

Random Numbers

During WWII the key settings were distributed to the operators in advance such as with code books. The code bookstold them the daily configuration of the machine such as the order of the rotors. Then it was left up to the operatorsto choose a random initial state for the rotors, and humans being humans lazily only rotated the rotors a few places orto a common setting. This can be seen still today and is analogous to lazy settings for combination locks. An perfectexample of this that I have witnessed is an entire buildings combination locks using the room numbers as the settingsto open the locks, also cipher locks are nearly always easy to break due to common patterns everyone uses becausethey are easy to remember. This destroyed the uniform distribution of the rotor positions and lead to complete reverseengineering of the rotor wiring. If the rotor position of the enigma machine were decided with dice instead each daysstarting point would have held a uniform distribution and prevented reverse engineering of the rotor wiring.

The source of randomness is very important to cryptography, and selection of the appropriate algorithms to generaterandom numbers is essential to applied cryptography. Types of random number generators (RNGS (Random NumberGenerators)):

1. True Random Number Generators (TRNGS (True Random Number Generators)) 1

• Truly random numbers stem from some physical process.

– Coin Flip

– Lottery

– Noise (thermal, audio)

– Mouse Movement

– Keyboard Input (Time Difference)

2. Pseudo Random Number Generators (PRNGS (Pseudo Random Number Generators)) 2

• Deterministic, they can be computed.

• They mimic the properties of truly random numbers.

• Often computed with the function:

– 𝑠0 = seed

– 𝑠𝑖+1 = 𝑓(seed)

• The initial state of the functin is determined by a small truly random number and all following keybits are computed by a deterministic function 𝑓 .

3. Cryptographically Secure PRNGS (CPRNGS (Cryptographically Secure Pseudo Random Number Generators))

• Often computed similarly to PRNGS.

1Drawback is that use of TRNGS for research purposes can not be duplicated. Therefore making it impossible to check the validity of a studiesfigures.

2PRNGS properties of having TRNG (True Random Number Generator) like output but being deterministic makes them ideal for research thatneeds to be reproducable. If the seed used for experiments is published allong with what PRNG (Pseudo Random Number Generator) was used ina study anyone wanting to reproduce the study can plug the same seed in and get the same exact output.



• CPRNGS are basically PRNGS with an additional property.

– The numbers are unpredictable

• Informal definition of unpredictable:

– Given 𝑛 bits (𝑠𝑖, 𝑠𝑖+1, 𝑠𝑖+2, ..., 𝑠𝑖+𝑛), it is computationally infeasible to construct 𝑠𝑛.

• Types:

(a) Purpose-built algorithms, designed from scratch to have properties desirable to the intended ap-plication.

(b) Based on existing cryptographic algorithms, these may be built around pre-existing symmetric orasymmetric algorithms or even hash functions.

4. Pseudo Random Functions (PRF (Pseudo Random Function))

• Takes a seed as input.

• Also a context specific value is used as input.

– Timestamp

– ID

Stream Ciphers

»Am Fluß des lebens: Die Brücke der Begegnung heißt Miteinander.«

—Ernst Ferstl

Stream ciphers encrypt bits individually:

𝑦𝑖 = 𝑒(𝑥𝑖) ≡ 𝑥𝑖 + 𝑠𝑖 mod 2

𝑥𝑖 = 𝑒(𝑦𝑖) ≡ 𝑦𝑖 + 𝑠𝑖 mod 2

Linear Congruential Generator: LCG

Use a key stream 𝑠𝑖 from a PRNG. A key is used as the seed.

𝑆0 = seed

𝑆𝑖+1 = 𝐴 · 𝑆𝑖 + 𝐵 mod 𝑚, 𝐴𝑖, 𝐵𝑖, 𝑆𝑖 ∈ Zm

Key K = (𝐴,𝐵)

𝐴𝑖, 𝐵𝑖, 𝑆𝑖 are ⌈log2 𝑚⌉ bits long.

Warning: Attack: Oscar knows 𝑥1, 𝑥2, 𝑥3c

c For example Oscar may know a fixed value in protocol header, and it’s exact bit offset from the beginning of the message.

1. Knowing 𝑥1 and 𝑦1, 𝑆1 can be computed and so on to 𝑆3

2. 𝑆2 ≡ 𝐴 · 𝑆1 + 𝐵 mod 𝑚 Only 𝐴 and 𝐵 are unknown. It is a linear equation with two unknowns. One moreequation is needed to solve.

𝑆3 ≡ 𝐴 · 𝑆2 + 𝐵 mod 𝑚



The system is now broken and can be solved with a system of equations.

𝐴 = (𝑆2 − 𝑆3)(𝑆1 − 𝑆2)−1 mod 𝑚

𝐵 = 𝑆2 − 𝑆1(𝑆2 − 𝑆3)(𝑆1 − 𝑆2)−1 mod 𝑚

One Time Pad (OTP)

Perfect Secrecy: A cypher is “unconditionally secure” (or information theoretically secure) if it can not be broken evenwith infinite computing resources.

OTP (One Time Pad): is a stream cypher where,

1. The key stream bits 𝑠𝑖 stem from a TRNG.

2. Each key stream bit is used only once 4.

This provides perfect security. The problem with the OTP is key distribution.

Linear Feedback Shift Register (LFSR)

A type of stream cypher that is easily implemented in hardware.

Fig. 1.1: A simple LFSR (Linear Feedback Shift Register).

The Atomic element is the Flip-Flop and it stores one bit, storing and holding input data on each clock pulse. It alsoHas a period after which the pattern of the key repeats. The LFSR shown in the figure has a period of 7 = 23 − 1 anda 𝑚 = 3.

4 The huge drawback is that the key must be as long as the message and it also can not be reused. This is why OTP can not scale to be used ineveryday communicaitons.



𝑃0 (Input) 𝑃1 𝑃2 ⊕1 ⊕2 (output) input 𝑆𝑖 (output)1 0 0 1 0 1 01 1 0 1 0 1 01 1 1 1 1 0 10 1 1 0 1 1 11 0 1 1 1 0 10 1 0 0 0 0 00 0 1 0 1 1 11 0 0 1 0 1 01 1 0 1 0 1 01 1 1 1 1 0 10 1 1 0 1 1 11 0 1 1 1 0 10 1 0 0 0 0 00 0 1 0 1 1 11 0 0 1 0 1 0

The output will continue to repeat every 7 iterations into infinity. Mathematically this looks like:

𝑆3 ≡ 𝑆1 + 𝑆0 mod 2

𝑆4 ≡ 𝑆2 + 𝑆1 mod 2

𝑆5 ≡ 𝑆3 + 𝑆2 mod 2

𝑆𝑖+3 ≡ 𝑆𝑖+1 + 𝑆𝑖 mod 2

General LFSRS (Linear Feedback Shift Registers) Mathematically represented as:

𝑆𝑚 ≡ 𝑆𝑚−1𝑃𝑚−1 + 𝑆𝑚−2𝑃𝑚−2 + ... + 𝑆1𝑃1 + 𝑆0𝑃0 mod 2

𝑆𝑚+1 ≡ 𝑆𝑚𝑃𝑚−1 + 𝑆𝑚−1𝑃𝑚−2 + ... + 𝑆2𝑃1 + 𝑆1𝑃0 mod 2

Important:

𝑆𝑚+𝑖 ≡𝑚−1∑︁𝑖=0

𝑆𝑖+𝑗 · 𝑃𝑗 mod 2



Theorm: The maximum period (sequence length) generated by a LFSR of degree 𝑚 is 2𝑚 − 1. Only certain feedbackconfigurations (“primitive polynomials”) yield maximum length sequences.

LFSRS are often specified by:

𝑃 (𝑥) = 𝑥𝑚 + 𝑝𝑚−1𝑥𝑚−1 + ... + 𝑃1𝑋 + 𝑃0

LFSR Security

Warning: Attack: Oscar has,• All 𝑦𝑖• Degreem 𝑚 (simple attack)• 𝑥0, ..., 𝑥2𝑚−1 (header information)

Attack step by step:

1. Decode header information:

(a) We have 𝑦𝑖 ≡ 𝑥𝑖 + 𝑠𝑖 mod 2

(b) Solve for 𝑠𝑖

• 𝑠𝑖 = 𝑦𝑖 + 𝑥𝑖 mod 2

(c) Compute: 𝑖 = 0, 1, ..., 2𝑚− 1

2. Decode all further information:

• Set up a system of linear equations, then solve 5.

𝑆𝑚 ≡ 𝑆𝑚−1𝑃𝑚−1 + ... + 𝑆0𝑃0 mod 2

𝑆𝑚+1 ≡ 𝑆𝑚𝑃𝑚−1 + ... + 𝑆1𝑃0 mod 2

···

𝑆2𝑚−1 ≡ 𝑆2𝑚−2𝑃𝑚−1 + ... + 𝑆𝑚−1𝑃0 mod 2

3. Use the known 𝑃𝑖 values to build the LFSR and generate all 𝑆𝑖 values.

4. Decipher text.

If an attacker knows (at least) 2𝑚 output values of a LFSR, the entire LFSR configuration can be recovered.

Block Ciphers

“Feistel and Coppersmith rule. Sixteen rounds and one hell of an avalanche.”

—Stephan Eisvogel

Most commonly used symmetric algorithms. They tend to be more secure than the stream ciphers and can also be usedto build stream ciphers.

5 Can easily be solved using Gaussian elimination or matrix inversion.



Data Encryption Standard (DES)

• Plaintext: 64-bits (8 bytes)

– This block size is inefficient

• Key length: 56-bits

– Usually stored in 64-bits with one byte used for parity.

• Insecure

– Broken in the 90’s

– Today can be broken in days with a modest investment

• 3DES (Tripple Data Encryption Standard) is still secure

– Not double

– 3DES actual key length: 168 bits

– 3DES effective key length: 112 bits

* See Multiple-Time Encryption for explanation.

• Easy and small to implement in hardware

• Inefficient in software

Feistel Network Many of todays ciphers are Feistel Cyphers.

Only 𝐿0 is encrypted using a ⊕ operation. Decryption:

𝑓(𝑅0,𝐾1) ⊕ 𝑦𝑖 = 𝐿0

DES Internals 𝐼𝑃 and 𝐼𝑃−1:

• Simple bitwise permutation that scrambles the bits.

• This does not increase security when used at the beginning or the end.

– It was for practical, technical, electrical engineering reason.

– Possibly not even meant to be part of the standard.



Details of the 𝑓 function:

• Inputs: 𝑅𝑖−1 and 𝐾𝑖

• 4 Steps:

1. Expansion 𝐸

– Provides Diffusion (Half the bits are duplicated)

2. XOR with round key

3. S-Box subsitution

– Uses Lookup table, with unusual decoding method 6.

-The “heart” of DES - Provides Confusion

4. Permutation (bitwise)

DES Key Schedule:

6 With the 4 middle bits pick a column, with outside 2 bits pick a row.



• Computing the 16 subkeys 𝑘1 to 𝑘16 consists of simple operations.

• PC-1: Permuted Choice 1

– Drops bits 8, 16, 24, ..., 64

– Effective key length of DES is 64 − 8 = 56

• 𝐿𝑆𝑖 (Really a left rotate 7)

𝐿𝑆𝑖 =

{︂1 pos shift, 𝑖 = 1, 2, 9, 162 pos shift, 𝑖 = 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 15

• PC-2: Permuted Choice 2

– 56 bits in, 48 bits out.

– Another 8 bits are droped, the rest are permuted

– The output is 𝐾𝑖

Note that there is not a single boolean gate, this is completely just wire crossing. No XOR no matrix, nothing. Eachkey 𝑘1, ..., 𝑘16 is merely a permutation of the original 56-bit key.

DES Decryption Each round in DES Decryption is the inverse of the last undone round of encryption from last tofirst.

Proof:

1. 𝐿𝑑1 = 𝑅𝑒

15, 𝑅𝑑1 = 𝐿𝑒

15

2. 𝑅𝑑1 = 𝐿𝑑

0 ⊕ 𝑓(𝐾𝑖, 𝑅𝑑0)

3. 𝑅𝑑1 = 𝐿𝑒

15 ⊕ 𝑓(𝐾16, 𝑅𝑒15) ⊕ 𝑓(𝐾𝑖, 𝑅

𝑑0)

4. 𝑅𝑑1 = 𝐿𝑒

15 ⊕ 𝑓(𝐾16, 𝑅𝑒15) ⊕ 𝑓(𝐾𝑖, 𝑅

𝑒15)

5. 𝑅𝑑1 = 𝐿𝑒

15 ⊕ (0x00000000) 𝑄𝐸𝐷

7 Total number of shifts: 4 · 1 + 12 · 2 = 28. Note where 28 comes up in the diagram. This has the effect that 𝐶16 = 𝐶0 and 𝐷16 = 𝐷0

and it is important for decryption.



Notes on step 1 8, 2 9, 3 10, 4 11.

The remaining round reversals work the same. Round 2𝑑 reverses round 15𝑒 and so on until round 16𝑑 reverses round1𝑒.

DES Security Warning: DES has been insecure since the 90’s.

families of attack:

1. Analytical Attacks

• Differential Cryptanalysis (1990): Requires 247 (𝑥, 𝑦) value pairs. Note that this requires knowledgeof plain text and cypher text, a attacker could listening to enough headers long enough eventuallyrecover the key, however it is very hard and if the key is changed in a reasonable amount of time itwill not work.

• Linear Cryptanalysis (1993): Requires 243 (𝑥, 𝑦) value pairs. Little better, but not enough.

2. Brute Force Attack

• Given (𝑥0, 𝑦0), or 8 bytes of plaintext, 𝐷𝐸𝑆−1𝐾𝑖

(𝑦0) =? 𝑋0

• Or for 𝑖 = 0, ..., 𝑖 = 256−1 you check to see if 𝑦0 decrypts to 𝑋0 checking every possible key.

• DeepCrack (1998): Special-Purpose DES hardware cracker. Would break DES in a few days andcost $250,000. This was the official death of DES. However AES was already in the works.

• COPACORANA (2007): Special-Purpose DES hardware cracker, would break DES in a few days ata cost of $10,000.

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is a block cipher with the intention of replacing DES in October of 2000by NIST (The Natinal Institute of Standards and Technology) and became a standard. After a compitition betweenciphers the submission by Joan Daemen and Vincent Rijmen called Rijndael was named the AES.

The key is much larger than DES (128 bits); however, it is designed to be efficient for software and is much slower inhardware. All internal operations of AES are based on finite fields.

Remarks:

• AES is right now the most important symmetric algorithm in the world.

• The NSA (National Security Agency) use to only use their own algorithm, now they allow AES forclassified data up to TOP-SECRET with 192 or 256 bit key.

AES’s irreducible polynomial:

𝑃 (𝑥) = 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1

The number of rounds depend on the key length:

8 That 𝐿𝑑1 = 𝑅𝑒

15 easily follows just by tracing. No operations take place on 𝑅𝑒15.

9 𝐿𝑑0 is the result of the XOR operation of 𝐿𝑒

15 and 𝑓 so we substitute.10 Now to show that 𝑅𝑑

1 = 𝐿𝑒15 we must show that 𝑓(𝐾16, 𝑅𝑒

15) and 𝑓(𝐾𝑖, 𝑅𝑑0) are the same. This will cause them to cancel because when

you XOR something by itself the result is zero. To achieve this one more substitution is used derived by wire tracing, 𝑅𝑑0 = 𝑅𝑒

15.11 Now we just use the correct subkey. This is easily calculated because it is derived through simple permutations that are part of the standard.

The functions cancel.



𝑘 rounds128 10192 12256 14

How it Works

begin{itemize}

• AES is not a Feistel cypher.

• Encrypts all 128 bits of data path in 1 round

• Consists of four layers

1. Byte substitution (ByteSub)

– Provides Confusion

2. Shift Row (ShiftRow)

– Provides Diffusion

3. Mixed Column (MixCol)

– Provides Diffusion

4. Key Addition

• Last round does not have the mixed column layer

Many modern block cyphers use key widening. AES at the beginning and very end adds a sub key.

AES Internals

• AES is a byte oriented cypher

– all operations take place on bytes

• The 128 bit data path is split into 16 bytes

• Layers: one round

1. Byte Sub

– 16 Byte input is split into 4 4-byte groups

– each byte is put into the S-box

– 8 bits in, 8 bits out

– 16 S-boxes running in parallel

– When the S-Box was constructed we knew much more about S-boxes and resistance to differentialcryptanalysis. It has more mathematical structure than the DES S-box.

– Cosists of two parts

(a) Calculate inverse

(b) Affine Mapping

* Hardens against attacks in patterns of inverse calculation

– Enhanced for software

* Can calculate all 256 possible outcomes for each input to the S-Box



* Hard to put small tables like that in hardware

2. Shift Row

– Just a byte permutation, diffuses the 4 byte group

3. MixCol

– There are four separate MixCol boxes, has four outputs, ensures that one bit flip affectsother inputs to the MixCol box. (Matrix multiplication)

4. Key Add

– 128 bits, bitwise XOR, 𝐾𝑖1 ⊕ MixCol𝑖1 for each MixCol output byte

Byte Substitution Layer (S-Box)

𝑆(𝐴𝑖) = 𝐵𝑖

Note: All 16 S-boxes are identical, and are published widely online.

𝐴𝑖 = 0x𝐶2 = (𝑥, 𝑦) = 1100 0010

To read the table use the first and second byte hex number for coordinates. Example of output:

𝐵𝑖 = 𝑆(𝐴𝑖) = 0x25 = 0010 0101

S-Box construction: we consider 𝐴𝑖 ∈ 𝐺𝐹 (28) and compute it’s inverse. For example:

𝐴𝑖 = 1100 0010

𝐴𝑖(𝑥) = 𝑋7 + 𝑥6 + 𝑥

𝐵′𝑖(𝑥) = 𝑥7 + 𝑥5 + 𝑥3 + 𝑥 + 1 = 𝐴−1

𝑖 (𝑥)

𝐵′𝑖 = 0010 1111

inverse check:

(𝑥7 + 𝑥6 + 𝑥) · (𝑥7 + 𝑥5 + 𝑥3 + 𝑥 + 1) = 1 mod 𝑥8 + 𝑥4 + 𝑥3 + 1

Affine Mapping: Multiply by the a matrix for output 𝐵𝑖.

Shift Row Very systematic if we write the state (16 bytes of the data path) as a 4 × 4 Matrix.

1. Row One: Do not shift

2. Row Two: Shift left

3. Row Three: Shift left × 2

4. Row Four: Shift left × 3

This results in each group of 4 bytes being split so that one byte from each makes up the new 4, 4 byte groups. Ensuresone bit flip affects all output groups.



MixCol Example: 1𝑠𝑡 MixCol box

• Four one byte inputs, one from each of the initial 4 byte groups.

• Matrix multiplication

– Each row of the standard matrix is a shifted row of the last row and multiplied by the input.

– Each is 𝐺𝐹 (28) Multiplication and addition

– Do polynomial multiplication and modulo reduction

• Four one byte outputs

01 = 0000 0001 = 1

02 = 0000 0010 = 𝑥

03 = 0000 0011 = 𝑥 + 1

More About Block Ciphers

So far the view on block ciphers have been sending each sequential block one at a time to be encrypted or decrypted.But, block ciphers can be used for other tasks:

• Different encryption schemes

• Stream cipher

• PRNG

• Hash Function

• PRNGS

Operation Mode Different ways of using a block cipher for encryption.

Deterministic Encryption:

• An encryption scheme is “deterministic” if a particular PT is mapped to a fixed CT if the key is unchanged.

– Electronic Code Book Mode (ECB)

Probabilistic Encryption:

• A “>probabilistic”< encryption scheme uses randomness to achieve a non-deterministic generation of 𝑦𝑖. The encryption algorithm takes an additional random variable 𝑟, which is sent over the transmission unencripted (it is not a secret) and bob uses the decryption algorithm with 𝑟 to decrypt.

– Block Cipher

* Cipher Block Chaining Mode (CBC) 12

– Stream Cipher

* Output Feedback Mode (OFB)

* Cipher Feedback Mode (CFB)

* Counter Mode (CTR)12 Note that the substitution attack that is described against this mode is not necisarily relivant to other modes.



ECB (Electronic Code Book) Mode Simplist way, however it is not a good way. It is deterministic.

..., 𝑥3, 𝑥2. 𝑥1 → 𝑒(𝑥0, 𝑘) → ..., 𝑦3, 𝑦2. 𝑦1 → 𝑒−1(𝑦0, 𝑘) → ..., 𝑥3, 𝑥2. 𝑥1

Warning: Attack: Electronic Funds Transfer, between banksMoney at bank 𝐴 is being transfered to bank 𝐵. Simple transfer protocol, a field with five squares.

BL1 BL2 BL3 BL4 BL5𝐴 Routing # 𝐴 Account # 𝐵 Routing # 𝐵 Account # Amount

Assumptions:1. Each field(1,...,5) is exactly 𝑛 bits wide. Where 𝑛 is the size of the block cipher.2. Key 𝐾𝐴𝐵 is fixed for some time, or it is not changed every transaction.

Now we have an Oscar that is an active attcker, he can listen and modify messages. Note: Oscar does not break theblock cipher, the attack works by moving, ciphertext blocks. This is a ciphertext only attack. This is similer to thefrequency analysis done on shift ciphers. The same block in will always produce the same block out like how the sameletter in with a shift cipher always produced the same letter out with the same key.

• Oscar opens one account at Bank A, and one at Bank B

• Wire tapped in and can listen to network, he then transfers repeatedly one euro from his 𝐴 account to his 𝐵account.

• He can find his by using Traffic Analysis. While he can not make out his message by the contents, he can tellwhich ones are exactly the same as the others he has sent to pick his out of the noise.

• He looks for the different blocks and stores encrypted block 𝐵𝐿4.

• The idea here is to find a way to modify 𝐵𝐿4 to change the account number of other transfers to your account.All he needs to do is copy and paste 𝐵𝐿4 onto other tranfers where 𝐵𝐿1 and 𝐵𝐿3 match his blocks.

• Transfers are directed to Oscar’s account.

CBC (Cipher Block Chaining Mode) Mode For CBC Mode the IV must be shared between the parties commu-nicating, and decryption is done with the reverse of the algorithm. The first block of input is XORed with the IV andthen encrypted with the key 𝐾 which is then used as the IV input for the next iteration, this process is continued forthe entire session.

Difference to ECB:

1. Make encryption probabilistic

2. Combine encryption of all blocks

IV: Initial Vector

• IV is sent in plaintext.

• should be NONCE (Number Used Only Once) Otherwise this will not help with changing the ciphertext for allidentical messages.

• There are many ways of generating IVs

– True Random Number. This has the danger of repition.

– A counter value (must be stored by Alice)

– 𝐼𝐷𝐴𝑙𝑖𝑐𝑒||𝐼𝐷𝐵𝑜𝑏||Time



𝑦1 = 𝑒𝑘(𝑥1 ⊕ 𝐼𝑉 )

𝑦𝑖 = 𝑒𝑘(𝑥𝑖 ⊕ 𝑦𝑖 − 1), 𝑖 ≥ 2

𝑥1 = 𝑒−1𝑘 (𝑦1) ⊕ 𝐼𝑉

𝑥𝑖 = 𝑒−1𝑘 (𝑦𝑖) ⊕ 𝑦𝑖 − 1, 𝑖 ≥ 2

Other Properties:

• Changes in plaintext propagate forever in ciphertext

• Encryption cannot be parallelized

• Decryption can be parallelized

OFB (Output Feedback Mode) Mode Using the Block Cipher as a keystream generator. The 𝐾 is generated bythe standard block cipher with 𝑒(𝐼𝑉,𝐾) and use the output XORed with the plaintext to encrypt. The output is storedand fed back into the block cipher as the 𝐼𝑉 .

𝑥𝑖 ⊕ 𝑆𝑖 → 𝑦𝑖

To decrypt we do not use decryption, we use the exact same setup with the block cipher to generate the same exactstream of bits to undo the XOR.

CFB (Cipher Feedback Mode) Mode used for generating a stream cipher but is closely related to CBC.

𝑦0 = 𝐼𝑉

𝑦𝑖 = 𝑒𝑘(𝑦𝑖−1) ⊕ 𝑥𝑖

𝑥𝑖 = 𝑒𝑘(𝑦𝑖−1) ⊕ 𝑦𝑖

One major advantage to CFB is that if some part of the ciphertext is lost in transmission only part of the message willbe lost and error free decryption can resume once undamaged data transfer resumes. Unfortunately the amount of errortolerance for this property depends on the implementation. If encrypting one block at a time then it will hold only ifthe transmission loss happens at exactly one block, but not another amount such as a single bit loss in a block. To beable to re-synchronize after the loss of a bit, the message must be encrypted one bit at a time, or whatever amount ofloss is desired to protect against loss. Whatever amount the implementation is designed to protect against for data loss,will also re-synchronize for any multiple of that amount, for example the textbook one block at a time model will alsoself-synchronize after the loss of multiple blocks. Encryption to achieve this is normally achieved with shift registers.

Like CBC:

• Changes in plaintext propagate forever in ciphertext

• Encryption cannot be parallelized


When decrypting a single bit error corrupts two blocks, the single bit in the decrypted block, and complete corruptionof the following block, after which correct decryption resumes.

Another advantage is that no padding is required and therefore less network and processing resources are used.

CTR (Counter Mode) Unlike CFB and CBC there is no chaining and each round is independent of the others. Itdoes still eliminate the possibility of the same plaintext mapping to the same ciphertext problem that ECB Mode has.

Operation:

• Uses a counter which acts similar to a IV

• Counter is a function guaranteed not to repeat for a long time



• The counter is used as the plain text input to the block cipher.

• The key is input and the counter is encrypted.

• The block cipher output is XORed with the plaintext to produce the ciphertext.

• A random nonce may combined using any lossless operation such as XOR, addition, concatenation

• A sequential non-random nonce must be concatenated otherwise the system is broken by chosen-plaintext at-tacks.

• A popular implementation uses half the counter input as a random nonce concatenates it with a sequentialcounter.

Advantages:

• Encryption can be parallelized


• Efficient in hardware

• Efficient in software

• Preprocessing, encryption can be done without waiting for plaintext

– Compute 𝐸(𝐶𝑇𝑅,𝐾) and XOR it with the plaintext later.

• Simplicity, no need for a decryption algorithm

Multiple-Time Encryption DES is still a sound cipher; however, the keyspace is too small. Because of it’s nicehardware properties there has been a push to expand the keyspace of DES.

Double Encrytpion

𝑥1 → 𝑒(𝑥1, 𝑘𝑙) → 𝑒(𝑥′1, 𝑘𝑟) → 𝑦1

Complexity of brute-force attack using the Naïeve method:

𝑒−1𝑘𝑖

(𝑒−1𝑘𝑖

(𝑦1)) =? 𝑥1

• Number of key tests:

256 · 256 = 2112

Now with meet-in-the-middle, search for 𝑘𝑙 and 𝑘𝑟 seperately. If searching with complete independance is possiblewe end up with:

256 + 256 = 2 · 256 = 257

Phase I: Search through all of 𝑘𝑙 and store all middle values, 𝑍𝑙𝑖 , in a database with it’s key 𝑘𝑙𝑖 .

𝑒𝑘𝑙(𝑥1) = 𝑍𝑙 ∀ 𝑘𝑖

Complexity so far is equal to one DES brute force attack plus the storage:

256 + 256storage locations

Phase II: Now we use decryption:

𝑒−1𝑘𝑟,𝑗

(𝑦1) = 𝑍𝑟,𝑗



After each decryption we check to see if the decryption 𝑍𝑟,𝑗 matches any of the encryptions from part one 𝑍𝑙𝑖 in thetable. This being done for every decryption value until you get a match or collision.

𝑍𝑙,𝑖 =? 𝑍𝑟,𝑗

If this collision condition is fullfiled:

𝑒−1𝑘𝑙,𝑖

(𝑒−1𝑘𝑟,𝑗

(𝑦1))

Such that, the 𝑗 and the 𝑖 are the collision values. (𝑘𝑙,𝑖, 𝑘𝑟,𝑗) that were used in the collision are possible keys (𝑘𝑙, 𝑘𝑟),but it is possible to have false matches. Sometimes it is possible to have multiple keys that encrypt 𝑥1 to 𝑦1. Sometimeswe have to use a second pair (𝑥2, 𝑦2):

𝑥2 =? 𝑒−1𝑘𝑙,𝑖

(𝑒−1𝑘𝑟,𝑗

(𝑦2))

If the second pair does not work then we have a false positive and must keep searching for 𝑘𝑟.

• Phase I: 256 enc + 256 storage

• Phase II: 256

• Total: 257 enc + 256 storage

Caution: Conclusion: Double encryption is only marginally more secure than single encryption.

Tripple Encryption

𝑥1 → 𝑒(𝑥1, 𝑘1) → 𝑒(𝑥′1, 𝑘2) → 𝑒(𝑥′′

1 , 𝑘3) → 𝑦1

Search through all of 𝑘1 and store all middle values between it and 𝑘2, in a database with it’s key 𝑘1𝑖 .

𝑒𝑘1,𝑖(𝑥1) = 𝑍1 ∀ 𝑘𝑖256 enc + 256storage locations

Now we again use decryption, but now we must check all values for 𝑘3 and 𝑘2 combined:

𝑒−1𝑘2,𝑗

(𝑒𝑘3,𝑙−1(𝑦1)) = 𝑍𝑟,𝑗

Again after each decryption we check to see if each decryption matches an encryption in our lookup table:

𝑍1,𝑖 =? 𝑍𝑟,𝑗

If this collision condition is fullfiled:

𝑒−1𝑘1,𝑖

(𝑒−1𝑘2,𝑗

(𝑒−1𝑘3,𝑙

(𝑦1)))

Such that, the 𝑖, 𝑗 and 𝑙 are the collision values. And we must still check for false pairs.

Total Complexity:

• Phase I: 256 enc + 256 storage

• Phase II: 256 · 256

• Total: 2112 + 256 enc + 256 storage ≈ 2112

Note: 3DES has an effective key length of 112 bits.



Brute Force Attacks Exhaustive key searches can give false positive results, this can happen with any block cipher:

Alice:

𝑥1 → 𝑒(𝑥1, 𝑘𝑡) → 𝑦1

Oscar:

𝑒𝑘1(𝑥1) = 𝑦1, 𝑘1 ̸= 𝑘𝑡

Likelyhood of oscar finding a key that gives a false positive depends on the relative size of the key space, |𝒦|, andplaintext space, |𝒫|. ⃒⃒⃒

𝒦⃒⃒⃒

= 280,⃒⃒⃒𝒫⃒⃒⃒

= 264

Now we start mapping all 𝒫 to all ciphertext, 𝒞.

𝑘𝑖(𝑥1) ∀ 𝑖

At some point there is a match 𝑘1 which matches plaintext 𝑦1. However there are 280 keys to try and there are only264 plaintexts. There are 280 mappings 𝑥1 → 𝒞 if the mappings select random elements from 𝒞 the number of keycandidates equals:

280

264= 216

Only one key candidate is the target key, 𝑘𝑡. Assume Oscar knows a second plain text, 𝑥2. Now 𝑘𝑡 must be in the setof 216 candidates from 𝑥1.

Footnotes

1.4.4 Asymmetric Cryptography


“The obvious mathematical breakthrough would be development of an easy way to factor large primenumbers.”

—The Road Ahead

Introduction

Until now we have seen only the following model for an encryption scheme. The same key that is used for encryptionis used for decryption. This is where symmetric cryptography gets it’s name from. The problem here is that Alice andBob must share the same key to communicate. Key distribution can become very difficult for this model over insecurechannels. If there is no secure channel this model breaks.

From Egypt until 1977 people thought this was the only way to do cryptography. The solution to the problem is verysimple and the primary idea is “Do we even really need a key for encrypting something?” encrypting by itself is notcritical, decryption is the important part.

With an asymmetric cryptosystem there is a public key and a private key. The idea of the public key is to create akey that you display in a public place where anyone can look it up such as a website. Encryption happens with thepublic-key and decryption takes place with the private-key. Now with this system Bob has two keys a public key anda private key. The public key is given freely to everyone including Oscar. To communicate Alice encrypts with thepublic key and sends the ciphertext to Bob and he then decrypts with his private key.

Unlike symmetric algorithms, public-key algorithms require the computation of the pair (𝑘𝑝𝑢𝑏, 𝑘𝑝𝑟𝑖𝑣). There are somedifficult computations that need to be done to generate key pairs, for example it can take up to a couple hours forelliptic curve cryptography.



The RSA (Rivest, Shamir and Adleman) Cryptosystem

Keygen

Today 𝑝 and 𝑞 are generally greater than 512 bits this creates a 𝑛 that is greater than 1024 bits. As of 2014 this isthe definition of “large primes” and is subject to change as time goes by. Note that the bits of 𝑛 are what are used todiscuss the security parameter of RSA. For example 1024 bit RSA would be referring to the bits of 𝑛 being 1024 bits.

Important: Generating the public-private key pair.

1. Choose large primes 𝑝, 𝑞

2. 𝑛 = 𝑝 · 𝑞

3. Φ(𝑛) = (𝑝− 1)(𝑞 − 1)

4. Choose 𝑘𝑝𝑢𝑏 = 𝑒 ∈ {1, 2, ...,Φ(𝑛) − 1} : gcd(𝑒,Φ(𝑛)) = 1

5. Compute 𝑘𝑝𝑟 = 𝑑 : 𝑑 · 𝑒 ≡ 1 mod Φ(𝑛)

Note that 3 is really easy to compute if you know the prime factorizaiton. Also the condition in 4 of the gcd guarenteesan inverse (decryption key).

Encryption

Given:

𝑘𝑝𝑢𝑏 = (𝑛, 𝑒), 𝑥 ∈ Z𝑛 = {0, 1, ..., 𝑛− 1}

Encryption:

𝑦 = 𝑒𝑘𝑝𝑢𝑏(𝑥) ≡ 𝑥𝑒 mod 𝑛

Decryption

Given:

𝑘𝑝𝑟 = 𝑑, 𝑦 ∈ Z𝑛 = {0, 1, ..., 𝑛− 1}

Decryption:

𝑥 = 𝑑𝑘𝑝𝑟(𝑦) ≡ 𝑦𝑑 mod 𝑛

Note that the security here relies on Oscar needing 𝑑 however for him to recover 𝑑 he must calculate Φ(𝑛) whichrequires factoring a 1024 bit or larger number which is not possible today.

Examples

Bob: Generate keys and post public key

1. 𝑝 = 3, 𝑞 = 11

2. 𝑛 = 33

3. Φ(𝑛) = 2 · 10 = 20

4. Choose 𝑒 = 3

• Note that 3 and 20 are relatively prime



5. 𝑑 ≡ 𝑒−1 ≡ 7 mod 20

6. → 𝑘𝑝𝑢𝑏 = (33, 3) → Alice

Alice: Encryption

1. 𝑥 = 4

2. 𝑦 = 43 = 64 mod 33 ≡ 31 → 𝑦

3. Alice → 𝑦 → Bob

Bob decrypts 𝑥 = 𝑦𝑑 = 317 ≡ 4

Note that the math can be done much easier with:

317 ≡ (−2)7 mod 33

317 ≡ −128 mod 33

317 ≡ −4 · 33 + 4 mod 33

317 ≡ 4

Diffie-Hellman Key Exchange

Elliptic Curve Cryptography

The motivation to move from Z*𝑃 Diffie-Hellman to Elliptic Curves is that the key lengths needed to be secure are

much shorter because the attacks are weaker. For use in crypto we need to consider polynomials over Z𝑝.

Important: The EC over Z𝑝, 𝑝 > 3 is the set of all pairs (𝑥, 𝑦) ∈ Z𝑝:

𝑦2 ≡ 𝑥3 + 𝑎𝑥 + 𝑏 mod 𝑝

Together with an imaginary point at infinity 𝒪, where 𝑎, 𝑏 ∈ Z𝑝 and:

4𝑎3 + 27𝑏2 ̸≡ 0 mod 𝑝

To create a DLP (Discrete Logarithm Problem) we need a cyclic group. For a group we need:

1. A set of Elements: all points on the curve

• Note that before now with Diffie-Hellman group elements were always just integers.

2. A group operation that fulfills the group laws.

An Additive Cyclic Group

A elliptic curve can define an additive cyclic group. The structure of the addition operation within the group is a littleunintuitive, so before looking at the equations there is a intuitive geometric interpretation.

𝑃 + 𝑄 = 𝑅

You choose points 𝑃 and 𝑄 who are connected by a line and the mirror of their sum is 𝑅. Note that as 𝑄 approaches𝑃 it becomes a tangent line the result of the third intersections mirror is called 2𝑉 .

𝑃 + 𝑃 = 2𝑉



Analytical Expression for the Group Operation Given: 𝑦2 ≡ 𝑥3 + 𝑎𝑥 + 𝑏, 𝑝 = (𝑥1, 𝑦1), 𝑞 = (𝑥2, 𝑦2)

1. Find the lines equation 𝑙: 𝑦 = 𝑠𝑥+𝑚, the variable is 𝑥 while the parameters are 𝑎, 𝑏, 𝑠,𝑚. The degree is 3 andyields 3 solutions.

(𝑠𝑥 + 𝑚)2 = 𝑥3 + 𝑎𝑥 + 𝑏

𝑠2𝑥2 + 2𝑠𝑥𝑚 + 𝑚2 = 𝑥3 + 𝑎𝑥 + 𝑏

𝑥1, 𝑥2, and 𝑥3

2. Find the neutral element, or additive identity: 𝒪

3. Find the additive inverse: −𝑃

Important: Elliptic Curve Point Addition and Point Doubling Formulae

𝑥3 = 𝑠2 − 𝑥1 − 𝑥2 mod 𝑝

𝑦3 = 𝑠(𝑥1 − 𝑥3) − 𝑦1 mod 𝑝

Where

𝑠 =

⎧⎨⎩𝑦2−𝑦1

𝑥2−𝑥1mod 𝑝 : if 𝑃 ̸= 𝑄(Point addition)

3𝑥21+𝑎2𝑦1

mod 𝑝 : if 𝑃 = 𝑄(Point doubling)

Note to accomplish this we do (𝑦2 − 𝑦1)(𝑥2 − 𝑥1)−1 mod 𝑝 and this operation is accomplished using the extendedeuclidean algorithm to find the inverse to make division possible.

Finding the Neutral Element Definition of the neutral element in an additive group:

𝑝 + 𝐶 = 𝑝 ∀𝑝

We define a point at infinity, 𝒪. The neutral element equation is satisfied by 𝑃 +𝒪 = 𝑃 ∀𝑃 ∈ 𝐸 Geometrically thiscauses the line to become vertical, with a vertical line the point of intersection then reflects back to 𝑃 .

Finding The Additive Identity Finding the additive identity: 𝑃 + (−𝑃 ) = 𝒪 ∀ 𝑃 ∈ 𝐸 Connect 𝑃 to infinity tocreate a vertical line and the inverse is the second point of intersection directly below the point 𝑃 .

−𝑃 = (𝑥,−𝑦)

Note that the −𝑦 is a minus form normal math, and the −𝑃 is the new minus in the scope of the group. That it is veryeasy to calculate the inverse is very important to quick cryptographic implementations.

Theorem The points on an EC, including 𝒪, have cyclic subgroups. Under certain conditions all points on an ECform a cyclic group.



The Elliptic Curve Discrete Logarithm Problem (ECDLP)

Example: EC as a cyclic group, for this specific curve, all points form a cyclic group.

𝑦2 ≡ 𝑥3 + 2𝑥 + 2 mod 17

𝑃 = (5, 1)

2𝑃 = 𝑃 + 𝑃 = (6, 3)

3𝑃 = 2𝑃 + 𝑃 = (10, 6)

···

18𝑃 = (5, 16) = (5,−1) = −𝑃

19𝑃 = 18𝑃 + 𝑃 = (5, 16) + (5, 1) = −𝑃 + 𝑃 = 𝒪20𝑃 = 19𝑃 + 𝑃 = 𝒪 + 𝑃 = 𝑃

21𝑃 = 20𝑃 + 𝑃 = 𝑃 + 𝑃 = 2𝑃

22𝑃 = 21𝑃 + 𝑃 = 2𝑃 + 𝑃 = 3𝑃

Important: The Elliptic Curve Discrete Logarithm Problem

Given is an Elliptic Curve 𝐸. If we consider a primitive element 𝑃 and another element 𝑇 , the DL (Discrete Loga-rithm) problem is finding the integer 𝑑, where 1 ≥ 𝑑 ≥ 𝐸, such that:

𝑃 + 𝑃 + ... + 𝑃 = 𝑑𝑃 = 𝑇

Start with Generator, or primitive element 𝑃 and generate the group. The number of hops on the curve 𝑑 is the secretkey. It is difficult to generate this given only the start and end points.

Example Given 𝑃 = (5, 1) generator, 𝑇 = (16, 4) = 𝑑 · 𝑃

(16, 4) = 𝑑(2, 5)

𝑑 = ?

Note that:

𝑑 = 𝐾𝑝𝑟 is an integer (number of hops)

𝑇 = 𝐾𝑝𝑢𝑏 is a point on the curve, a group element

For all DLPS (Discrete Logarithm Problems) the public key is a group element of whatever you happen to be workingwith, and the private key is always an integer or the number of group operations.

Group Cardinality and Hasse’s Theorem In order to answer the question of group cardinality (notation: #𝐸 = 𝑥)Hasse’s theorem is needed. We can use Hasse’s theorem to find the upper and lower bound of the cardinality of 𝐸.

Important: Hasse’s Theorem



Given an elliptic curve 𝐸 mod 𝑃 the number of points on the curve is denoted by 𝑣𝐸 and is bounded by:

𝑝 + 1 − 2√𝑝 ≤ #𝐸 ≤ 𝑝 + 1 + 2

√2

This is a very rough aproximation:

#𝐸 ≈ 𝑝

#𝐸 ≈ 𝑝 + 1 ± 2√𝑝

𝑃 is very large, say a 160 bit number, square root 𝑃 is 80 bits factored by two is 81 bits. To put this into scopeconsider winning 1,000,000 with a correction factor of 1,000. Relative to 𝑃 the corection factor is not very large. Inpractice, one needs the exact number of points in order to thwart certain attacks. Finding the exact number of points iscomputationally difficult. In practice there are standardised curves for example the NIST curves. They are publishedwith the cardinality.

Difficulty of Breaking the DLP All EC (Elliptic Curve) protocols rely on the hardness of the ECDLP (EllipticCurve Discrete Logarithm Problem). To break DH (Diffie-Hellman) or EC you must break the DLP. Long story shortthe DLP is very hard. If the EC is chosen carefully the best known algorithm for computing the ECDLP requiers≈ √

𝑝.

Example: 𝑝 ≈ 2160

√𝑝 ≈

√160 = 2

1602 = 280 steps

Elliptic Curve Diffie-Hellman (ECDH)

Straightforward adoption of DH in Z𝑝

1. Set-up curve and primitive element

𝐸 : 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 mod 𝑝

𝑝 = (𝑥𝑝, 𝑦𝑝)

2. Protocol start, Known values: 𝐸, 𝑝

3. Alice and bob caclulate their private keys (integer)

𝑎 = 𝐾𝑝𝑟𝐴 ∈ {2, 3, ...,#𝐸 − 1}𝑏 = 𝐾𝑝𝑟𝐵 ∈ {2, 3, ...,#𝐸 − 1}

4. Alice and Bob calculate their public keys (point on the curve)

𝐴 = 𝐾𝑝𝑢𝑏𝐴 = 𝑎 · 𝑃 = (𝑥𝐴, 𝑦𝐴)

𝐵 = 𝐾𝑝𝑢𝑏𝐵 = 𝑏 · 𝑃 = (𝑥𝐵 , 𝑦𝐵)

5. Alice and Bob exchange public keys

Alice → 𝐴 → Bob

Bob → 𝐵 → Alice

6. Alice and Bob calculate thier session key



𝑎 ·𝐵 = (𝑥𝐴𝐵 , 𝑦𝐴𝐵)

𝑏 ·𝐴 = (𝑥𝐴𝐵 , 𝑦𝐴𝐵)

7. Encryption

𝑚 → AES𝑥𝐴𝐵(𝑚) → 𝑐 → AES−1

𝑥𝐴𝐵(𝑐) → 𝑚

Elliptic Curve Square and Multiply

The group operations have changed so the square and multiply operations must change also. The Point Multiplication𝑎 · 𝑝 can be computed with the Double and Add algorithm, this is the same as the square and multiply algorithm butwith a different operation:

Example:

26𝑝 = ?

26𝑝 = (11010)𝑝

1. 𝑝 = 1𝑝

2. 𝑝 + 𝑝 = 2𝑝 = 10𝑝

3. 2𝑝 + 𝑝 = 3𝑝 = 11𝑝

4. 3𝑝 + 3𝑝 = 6𝑝 = 110𝑝

5. 6𝑝 + 6𝑝 = 12𝑝 = 1100𝑝

6. 12𝑝 + 𝑝 = 13𝑝 = 1101𝑝

7. 13𝑝 + 13𝑝 = 26𝑝 = 11010𝑝

We always double like before, and if the bit needs to be a one then we double and add. Same algorithm samecomplexity.

1.4.5 Cryptographic Protocols


“There are two kinds of cryptography in this world: cryptography that will stop your kid sister fromreading your files, and cryptography that will stop major governments from reading your files.”

—Bruce Schneier

Security Services

The objectives of a security system are called “security services.” List of the most important security services:

1. Confidentiality: Information is kept secret from all but the authorized parties. This was the main motivationbehind encryption and is the basic use of encryption schemes.

2. Message Authentication: The sender of a message is authentic.

3. (Message) Integrity: Message has not been tampered during transmission.

4. nonrepudiation: The sender/receiver of a message can not deny the creation of the message.

Note that in cases one, two, and three the protection is against Oscar. In case four the attacker is either Alice or Bob.In the case of symmetric cryptography nonrepudiation is not provided and we must use asymmetric cryptography togain the case four security service.



Digital Signatures

Signature-like function for the electronic world. The traditional protocol, signing the bottom, no longer works. Thisallows the signature to be easily copied with even less work than a real world signature. This problem can be solvedusing asymmetric cryptography. The message is encrypted with the key and produces the signature. Then both themessage and the signature are sent to Bob. Bob then validates, however unlike with encryption there is only one bitoutput, either valid or invalid. Message integrity is also provided as a result of the solution.

1. Alice generates her private and public keys:

𝐾𝑝𝑟𝐴, 𝐾𝑝𝑢𝑏𝐴

2. Alice makes her public key available:

𝐾𝑝𝑢𝑏𝐴 → Bob

3. Alice signs the message with her private key and sends it to Bob:

𝑠 = sig𝐾𝑝𝑟𝐴(𝑥) → ver𝐾𝑝𝑢𝑏𝐴

(𝑥, 𝑠) = True/False

RSA Digital Signatures

1. Set up:

𝐾𝑝𝑟𝐴 = (𝑑)

𝐾𝑝𝑢𝑏𝐴 = (𝑛, 𝑒)

2. Alice sends public key to bob:

𝐾𝑝𝑢𝑏𝐴 → (𝑛, 𝑒) → Bob

3. Alice computes the signature, and sends it along with the message to Bob and he verifies the message:

𝑠 = sig𝑘𝑝𝑟𝐴(𝑥) ≡ 𝑥𝑑 mod 𝑛 → (𝑥, 𝑠) → ver𝐾𝑝𝑢𝑏𝐴

(𝑥, 𝑠) = 𝑠𝑒 ≡ 𝑥′ mod 𝑛

3. Bob checks that the message is equal to the decrypted signature:

𝑥′ = 𝑥 Valid𝑥′ ̸= 𝑥 Invalid

Computational Aspects

• Signing: Square and Multiply algorithm (costly): math:x^dbmod n

• Verification: No shortcut but in practice often people use a special ‘e’ this makes verification very fast: 𝑠𝑒 mod 𝑛



Security

Warning: Existential Forgery Attack1. Bob generates public keys and his private key:

𝐾𝑝𝑢𝑏 = (𝑛, 𝑒), 𝐾𝑝𝑟 = 𝑑

2. Bob distributes his key:

𝐾𝑝𝑢𝑏 = (𝑛, 𝑒) → Alice

3. Bob signs his message and sends it to Alice:

𝑆 ≡ 𝑥𝑑 mod 𝑛 = (𝑥, 𝑠) → Alice

4. Alice verifies the message:

𝑠𝑒 ≡ 𝑥′ mod 𝑛

𝑥 =? 𝑥′

This is how everything is supposed to work however now enter Oscar:• Oscar chooses:

𝑠 ∈ Z𝑛

• Computes:

𝑥 ≡ 𝑠𝑒 mod 𝑛

• Sends the signed message to Alice:

(𝑥, 𝑠) → allice

Now Alice verifies however Oscars signature is valid:

𝑥′ ≡ 𝑠𝑒 mod 𝑛 (Alice)

𝑥 ≡ 𝑠𝑒 mod 𝑛 (Oscar)

Limitations of the attack are that Oscar can not directly control the semantics of the message 𝑥. This is still undesirable,although a message of meaning can’t be forged the fact that it is still recognized as a valid signature can open up otherattacks such as DDOS (Distributed Denial of Service). It is possible to have countermeasures against this attack bydeviating from Schoolbook RSA. In practice formating rules are imposed on 𝑥 which can be checked by Alice. Forexample if the last 124 bits are required to be all ones and Oscar tries to forge a signature, where he gets random bitsout, will need on average 2124 tries to guess a valid signature.

Elgamal Digitale Signatur

Bob chooses 𝑝 primitive element 𝛼, and private key in setup phase:

𝐾𝑝𝑟 = 𝑑 ∈ {2, 3, ..., 𝑝− 2}𝛽 ≡ 𝛼𝑑 mod 𝑝

Bob sends his public info to Alice:

𝐾𝑝𝑢𝑏 = (𝛽, 𝑝, 𝛼) → Alice



Bob now has an ephemeral key:

𝐾𝐸 ∈ {2, 3, ..., 𝑝− 2}, : gcd(𝑘𝐸 , 𝑝− 1) = 1

Bob signs the message:

𝑡 ≡ 𝛼𝐾𝐸 mod 𝑝

𝑠 ≡ (𝑥− 𝑑 · 𝑟)𝐾𝐸−1 mod 𝑝− 1

Bob sends the signature to Alice with the message:

𝑥, (𝑟, 𝑠) → Alice

Alice verifies:

𝑡 ≡ 𝛽𝑟 · 𝑟𝑠 mod 𝑝

𝑡

{︂≡ 𝛼𝑥 mod 𝑝 → valid̸≡ 𝛼𝑥 mod 𝑝 → invalid

Proof of correctness:

𝛽𝑟 · 𝑟𝑠 ≡ (𝛼𝑑)𝑟(𝛼𝐾𝐸 )𝑠 mod 𝑝

𝛽𝑟 · 𝑟𝑠 ≡ 𝛼𝑑·𝑟+𝐾𝐸 ·𝑠 mod 𝑝

Using Little Fermat: 𝑎𝑝−1 ≡ 1 mod 𝑝

𝑎𝑚 ≡ 𝑎𝑞(𝑝−1)+𝑟 = (𝑎𝑞)𝑝−1 · 𝑎𝑟

𝑎𝑚 ≡ 𝑎𝑞(𝑝−1)+𝑟 = 1 · 𝑎𝑟 mod 𝑝

𝑎𝑚 ≡ 𝑎𝑚 mod 𝑝−1 mod 𝑝

Back to proof:

𝑑 · 𝑟 + 𝐾𝐸 · 𝑠 ≡ 𝑥 mod 𝑝− 1

𝐾𝐸 · 𝑠 ≡ 𝑥− 𝑑𝑟 mod 𝑝− 1

𝑠 = (𝑥− 𝑑𝑟)𝐾𝐸−1 mod 𝑝− 1

Remarks about Elgamal Digital Signatures

• Is the basis for the Digital signature algorithm: DSA (Digital Signature Algorithm)

• The signature (𝑟, 𝑠) has twice the bit length of 𝑥.

𝑝 ≈ 22048 → |(𝑟, 𝑠)| ≈ 2 · 2048 = 4096bits

Weaknesses of ElgamalCaution: Weaknesses

1. Reuse of Ephemeral Key2. Existential Forgery

Reuse of the Ephemeral key

The setup phase must only be done once so computational difficulty is not a problem there, however calculating theephemeral key requires the square and multiply algorithm to compute 𝑡, and for 𝑠 computing 𝐾𝐸−1 requires theExtended Euclidean Algorithm (EEA) so both parts of the ephemeral key computation are computationally difficultand this creates the motivation for key reuse. This is a very bad idea though.



Bob uses 𝐾𝐸 for 2 messages 𝑥1, 𝑥2. Oscar can see:

𝑥1, (𝑟, 𝑠1)

𝑥2, (𝑟, 𝑠2)

Oscar recovers 𝑑 using a system of equations:

𝑠1 ≡ (𝑥1 − 𝑑𝑟)𝐾𝐸−1 mod 𝑝− 1

𝑠2 ≡ (𝑥2 − 𝑑𝑟)𝐾𝐸−1 mod 𝑝− 1

···

𝐾𝐸 ≡ 𝑥1 − 𝑥2

𝑠1 − 𝑠2mod 𝑝− 1

Now Oscar can go back and solve for 𝑑 because it is the only unknown:

𝑠1 ≡ (𝑥1 − 𝑑𝑟)𝐾𝐸−1 mod 𝑝− 1

𝑑 = 𝐾𝑝𝑟 ≡! 𝑥1 − 𝑠1𝐾𝐸

𝑟mod 𝑝− 1

Elgamal Existential Forgery Attack

Bob generates his private key:

𝐾𝑝𝑟 = 𝑑

Bob distributes public key:

𝐾𝑝𝑢𝑏 = (𝛽, 𝛼, 𝑝) → Alice

Enter Oscar who:

1. selects integers 𝑖, 𝑗 so that gcd(𝑗, 𝑝− 1) = −1

2. Computes signature

𝑟 ≡ 𝛼𝑖 − 𝛽𝑗 mod 𝑝

𝑠 ≡ −𝑟 · 𝑗−1 mod 𝑝− 1

3. Computes the message

𝑥 ≡ 𝑠 · 𝑖 mod 𝑝− 1

4. Sends message and signature to Alice

𝑥, (𝑟, 𝑠) → Alice

Alice verifies:

𝑡 ≡ 𝛽𝑟 · 𝑟𝑠 mod 𝑝

𝑡 ≡ 𝛼𝑥 mod 𝑝 → Valid

Again the drawback is that the message can not be controlled.



Cryptographic Hash Functions

If RSA is used to send a PDF file in practice there is a real world problem. For every block sent a new signature isneeded. This causes 𝑥 to be restricted in length to the block size however breaking the message into multiple partsand signing each with the same key like one would with a block cipher is insecure. This allows multiple attack vectorsalthough the signature is valid such as reordering the blocks. Also this is a very inefficient method of implementation.The solution to this problem is to somehow “compress” the message before signing. This will result in the followingimprovement.

Bob first computes a hash of his message 𝑧, signs it and sends the message and signature to Alice:

𝑧 = ℎ(𝑥)

𝑠 = sig𝐾𝑝𝑟(𝑧) → (𝑥, 𝑠) → Alice

Alice then verifies the message’s authenticity:

ver𝐾𝑝𝑟 (𝑧, 𝑠)

Because the signature is on 𝑧 that replaces the 𝑥′ in the verification algorithm. Alice generates 𝑧 by using the sameℎ(𝑥) hash function that Bob used. Also 𝑧 is called a “fingerprent” of 𝑥 or a “message digest”.

Requirements for Hash Functions

1. Arbitrary input lengths

2. Fixed, short output lengths

3. Efficient

4. “Preimage Resistance” or “one-way-ness” It should be impossible to compute 𝑥 from 𝑧 or to undo the hashfunction.

5. “Second Preimage Resisance” or “Weak Collision Resistance”, given 𝑥1 and the output an attacker should notbe able to compute 𝑥2.

6. “Collision Resistance”

2𝑛𝑑 Preimage attack Assume the following (note 𝑥1 is chosen by Bob):

ℎ(𝑥1) = ℎ(𝑥2) = 𝑧

𝑥1 = Transfer $10 in Oscar’s account

𝑥2 = Transfer $10,000 in Oscar’s account

Bob has 𝑥1 and signs and sends it Oscar replaces the message in transit with 𝑥2:

Bob → (𝑥1, 𝑠) → Oscar(𝑥2, 𝑠) → Alice

Alice verifies the message and everything checks out.

Collision Attack Oscar can construct 𝑥1 and 𝑥2, Oscar chooses 𝑥1 here. Bob sets up his system and sends the publickey over:

𝐾𝑝𝑢𝑏 →

Oscar tricks bob into signing 𝑥1:

Oscar → 𝑥1 → Bob



Bob signs and sends it back and Oscar intercepts and modifies the message:

𝑧 = ℎ(𝑥1)

𝑠 = sig𝐾𝑝𝑟(𝑧) → (𝑥1, 𝑠) → Oscar(𝑥2, 𝑠) → Alice

Alice verifies:

𝑧 = ℎ(𝑥2)

ver𝐾𝑝𝑢𝑏(𝑧, 𝑠) = True

Collision Attacks and the Birthday Paradox Collision attacks are much harder to prevent than 2𝑛𝑑 Preimageattacks. Of course the first thought for a solution would be to design a hash function without collisions, of course theproblem with that is that this is impossible. The input space of a hash function must be larger than the hash spacebecause of conditions one and two of hash functions.

|𝑥| >> |𝑧| → Collisions must exist

This is either called “Dirichlet’s drawers principle” If you have 10 socks and only 9 drawers you will have a collision.It is also called the “Pigeonhole principle” If you have 20 pigeons and 19 boxes where they live you must have onebox with 2 pigeons. The next best thing is to make collisions very hard to find.

2𝑛𝑑 Preimage Attack with Brute-Force Oscar puts a message in a database and constructs a message he wants andhashes them checking to see if they are identical. Then slightly modifying it, possibly in an invisible way (spaces,tabs), until a collision is found.

ℎ(𝑥1) =? ℎ(𝑥2)

ℎ(𝑥1) =? ℎ(𝑥3)

ℎ(𝑥1) =? ℎ(𝑥4)

···

ℎ(𝑥1) =? ℎ(𝑥𝑛)

If |𝑧| = 280, 𝑛 = 80 then the attack requires ≈ 280 steps.

Collision attack with brute-force Birthday Paradox, if we require a collision with a specific day of the year then onaverage you must have 365 people at the party. However if the requirement is changed to a collision if anyone at theparty have the same birthday then the probability changes dramatically.

𝑃 (collision among 2 People) = 1 − 1

365

When the second person arrives he can collide with not one but two people:

𝑃 (collision among 3 People) = (1 − 1

365)(1 − 2

365)

𝑃 (collision among t People) =

𝑡−1∏︁𝑖=1

(1 − 𝑖

365) = 0.507 ≈ 50%



The attacker here can check for a collision with each generated message against every single previously generatedmessage.

ℎ(𝑥1) =? ℎ(𝑥2)

ℎ(𝑥1) =? ℎ(𝑥2) =? ℎ(𝑥3)

ℎ(𝑥1) =? ℎ(𝑥2) =? ℎ(𝑥3) =? ℎ(𝑥4)

···

ℎ(𝑥1) =? ℎ(𝑥2) =? ℎ(𝑥3) =? ℎ(𝑥4) =? ℎ(𝑥𝑛)

This gives many more chances for collisions.

𝑥1, 𝑥2, ..., 𝑥𝑡 → ℎ(𝑥) → 𝑛 bits → 𝑧

𝑃 (no collision =

𝑡−1∏︁𝑖=1

(1 − 𝑖

2𝑛)

𝑡 = 2𝑛+12

√︃ln

(︂1

1 − 𝜆

)︂Where 𝜆 = Probability for at least one collision. Example:

𝑛 = 80, 𝜆 = 0.5

𝑡 = 2812

√ln 2 ≈ 240.2

This means that for 80 bit security we need 160 bits of output length.

𝜆 128 bit 160 bit 256 bit 384 bit 512 bit0.5 265 281 2129 2193 2257

0.9 266 282 2130 2194 2258

Note how slightly the 𝜆 affects the security of the function. With a hash function of 160 bit the security level is lessthan AES, in order to have a hash function with equal security we need 256 bits.

Building a Hash Funciton Types of Hash Function Constructions

1. Block Cipher Construciton\

• Very simple to construct.

2. Dedicated hash function

• MD4 Family

– MD5 (Broken)

– SHA-1 (Attacks Exist, weak)

– SHA-2 (Seems secure)

* SHA-224

* SHA-256

* SHA-384

* SHA-512



– SHA-3

• Many others

Overview of SHA-1

𝑥 → SHA-1 → 160 bits

SHA-1 uses a Merkle-Damgard construction:

𝑥 = (𝑥1, ..., 𝑥𝑛)

First you pad the blocks and feed each into a compression function one at a time.

𝑥1 → compression function → 𝑥′

(𝑥2, 𝑥′) → compression function → 𝑥′′

(𝑥𝑛, 𝑥𝑛′

) → compression function → 𝐻(𝑥)

The input block size is 512 bits and the output is 160 bits. Recall that block ciphers work in a similar iterative way.Each round is encrypted with a different sub-key, this is how the compression function works. At the end a differenceis that the original output gets a kind of addition with the final output (the last bit is dropped).

SHA-1 has:

• 4 × 20 = 80 rounds

• There are 4 stages:

– Stage 𝑡 = 1, Round 𝑗 = 0...19

– Stage 𝑡 = 2, Round 𝑗 = 20...39

– Stage 𝑡 = 3, Round 𝑗 = 39...59

– Stage 𝑡 = 4, Round 𝑗 = 59...79

• Each round has 5 × 32 bit input (𝐴,𝐵,𝐶,𝐷,𝐸) and input 𝑊𝑗 .

• Each input (𝑊𝑗 , 𝐴,𝐵,𝐶,𝐷,𝐸) is a word (32 bits)

The Round function The input is 5 words 𝐴,𝐵,𝐶,𝐷,𝐸. Recall Feistel networks splitting the block into two anduse one half of the input fed into a function to encrypt with a XOR. This is similar to how this works, however usingmodulo 32 addition in place of the XOR. 𝐵,𝐶,𝐷 are fed into a function and modulo 32 added with 𝐸, 𝐴 gets a fiveleft shift and is modulo added with the output of 𝑓(𝐵,𝐶,𝐷) modulo 32 addition 𝐸, then modulo addition with 𝑊𝑗

and is modulo 32 added with 𝐾𝑡.

𝐴 becomes output 𝐵, 𝐵 gets a 30 left shift and becomes output 𝐶, 𝐶 becomes output 𝐷, 𝐷 becomes output 𝐸, andthe function output final result becomes 𝐴.

Recall there are four stages: There are four different functions depending on the stage. Similarly the 𝐾𝑡 or roundconstants are changed per round. The constants are written in stone and do not change, they are 32 bits.

Stage 𝑡 Round 𝑓 Constant 𝐾𝑡 Function 𝑓𝑡1 0...19 𝐾1 = 5AB27999 𝑓1(𝐵,𝐶,𝐷) = (𝐵 ∧ 𝐶) ∨ (�̄� ∧𝐷)2 20...39 𝐾1 = 6ED9EBA1 𝑓2(𝐵,𝐶,𝐷) = 𝐵 ⊕ 𝐶 ⊕𝐷3 40...59 𝐾1 = 8F1BBCDC 𝑓3(𝐵,𝐶,𝐷) = (𝐵 ∧ 𝐶) ∨ (𝐵 ∧𝐷) ∨ (𝐶 ∧𝐷)4 60...79 𝐾1 = CA62C1D6 𝑓4(𝐵,𝐶,𝐷) = 𝐵 ⊕ 𝐶 ⊕𝐷

One round consists of four additions, two bit shifts, and a couple assembly instructions (AND/OR). This is veryefficient.



Inside of the Message Schedule Deriving 𝑊0...𝑊79 from the 512 bit input 𝑥𝑖. Split the 512 bits into 32 bit words,which makes 16 words. From the 16 words 𝑊0...𝑊15 are just copied from the original message bits. For 𝑊16...𝑊79:

𝑊𝑗 = 𝑊𝑗−16 ⊕𝑊𝑗−14 ⊕𝑊𝑗−8 ⊕𝑊𝑗−3, 16 ≤ 𝑗 ≤ 79

Message Authentication Codes (MACs)

MACs are also called “Cryptographic Checksums”

Message authentication with symmetric cryptography. This is a preferred method over asymmetric signatures becauseit is much faster, if it is possible to use. The limiting factor of course is to develop a secure channel for key distributionand establish a shared key.

Bob inputs the message $x$ to the MAC and sends it along with the message:

𝑚 = MAC𝐾(𝑋) → (𝑥,𝑚) → Alice

Alice verifies:

𝑚′ = MAC𝑘(𝑥)

𝑚′ =? 𝑚

Properties of MACs

1. Arbitrary input length

2. Fixed output length

3. Security Services

• Message Authentication: Alice is certain Bob sent the message.

• Integrity: Manipulations in transit will be detected by Alice.

• Non-Repudiation: is not given. Offers no protection if Alice and Bob try to cheat each other. One can notprove if either Alice or Bob sent the message.

Hash based MAC (HMAC)

𝑚 = MAC𝐾(𝑥) = ℎ(𝑘, 𝑥)

Mixing 𝐾 and 𝑥: First some Bad ideas

1. $m:=:h(k:||:x)$ - Secret Prefix, Assume:

• 𝑥 = (𝑥1 || 𝑥2 ||...|| 𝑥𝑛)

• 𝑚 = ℎ(𝑘 || 𝑥) = ℎ(𝑘 || 𝑥1 || 𝑥2 ||...|| 𝑥𝑛)

• Most hash functions use Merkle-Damgard construction. And we feed in 𝑥1, ..., 𝑥𝑛 in an iterative fashionand get ℎ(𝑥) out.



Warning: Attack

Bob: 𝑚 = ℎ(𝑘 || 𝑥1 ||...|| 𝑥𝑛) → (𝑥,𝑚) →

Oscar intercepts, and can append with something of his choosing:

𝑥𝑂 = (𝑥1, ..., 𝑥𝑛, 𝑥𝑛+1)

Oscar now computes a hash for the message including his appendage, this is possible using the Merkle-Damgardconstruciton just by running another round:

𝑚𝑂 = ℎ(𝑥𝑛+1, 𝐼𝑉 = 𝑚) → (𝑥𝑂,𝑚𝑂) → Alice

Alice runs a standard check on the message and the output checks out. The attack does not work however, ifpadding with length information is being used. Length information meaning keeping track of the number of blocksor bits used in the message.

2. 𝑚 = ℎ(𝑥 || ℎ) - Secret Suffix

• Assume: Oscar can find collisions $h(x):=:h(x_0)$.

𝑥 = (𝑥1 || 𝑥2 ||...|| 𝑥𝑛)

𝑚 = ℎ(𝑥 || 𝑘) = ℎ(𝑥1 || 𝑥2 ||...|| 𝑥𝑛 || 𝑘)

Important: Attack

Here it follows that the message concatinated with 𝑘 will be the same as 𝑥0 or Oscars message concatiated with 𝑘.

ℎ(𝑥 || 𝑘) = ℎ(𝑥0 || 𝑘)

Here the Attack is even easier, if Oscar can find a collision. Brute force is always an option for attack against symmetriccryptography, so we must compare brute-force effort against collision-finding effort to determin if this is somethingworth guarding against, or see if Oscar would even gain anything by running this attack.

ℎ() → SHA-1 → (160 bit output)

|𝐾| = 128 bit

We expect an brute-force attack complexity of 2128 But a collision search takes ≈√

2160 = 280 steps (birthdayparadox)

Solution: HMAC construction

• Proposed in 1996

• Widely used in practice, SSL/TLS

Use two nested secret prefix MACs. Roughly using an inner and outer hash:

ℎ(𝐾 || ℎ(𝐾 || 𝑥))

In reality (opad = outerpad, ipad = innerpad):

HMAC𝐾(𝑥) = ℎ[(𝐾+ ⊕ opad) || ℎ((𝐾+ ⊕ ipad) || 𝑥)



The key is just prepended with 0’s to the hash input length to generate 𝐾+:

𝐾+ = 000...0||𝐾

ipad, byte repeated to hash length:

ipad = 0011 0110, ..., 0011 0110

opad, diffrent byte pattern repeated to hash length:

opad = 0101 1100, ..., 0101 1100

Note that the message is only processed in the inner hash.

CBC-MAC Using Block chaining mode (CBC) generation:

1. Divide the message into blocks, 𝑥𝑖, 𝑙 = 1, 2, ..., 𝑛

2. Given the secret key 𝐾 and an initialization vector IV

• Compute: 𝑦1 = 𝑒𝑘(𝑥1 ⊕ IV) or XOR the first block with the IV and encrypt with 𝑘.

• Repeat: 𝑦𝑖 = 𝑒𝑘(𝑥𝑖 ⊕ 𝑦𝑖−1) for 𝑖 = 2, 3, ..., 𝑛

• MAC 𝑚 = 𝑦𝑛

3. MAC verification

• Repeat the same as above and verify if the same $m$ has been derived.

Key Exchange Protocols

Before symmetric cryptography can be used the keys must be exchanged over a secure channel. This is usually donewith a key exchange protocol.

Key Establishment There are two principle approaches, key transport and key agreement.

Key Transport One party chooses the key and sends it to whomever they are communicating with. Here it may bepossible for an attacker to choose a weak key for some block ciphers. This is much harder with joint key generation.

Key Agreement Both parties generate the key jointly like the Diffie-Hellman key exchange.

Naive Approach: A simple method of exchanging keys that is only suitable for static networks.

The 𝑛2 key distribution problem. Assumption: establish pairwise secret keys between all users.

𝑛 = 4 = {Alice, Bob, Chris, Dora}

Here key establishment between everyone requires 3 keys each.

Alice → 𝐾𝐴𝐵 , 𝐾𝐴𝐶 , 𝐾𝐴𝐷

Bob → 𝐾𝐵𝐴, 𝐾𝐵𝐶 , 𝐾𝐵𝐷

Chris → 𝐾𝐶𝐴, 𝐾𝐶𝐵 , 𝐾𝐶𝐷

Dora → 𝐾𝐷𝐴, 𝐾𝐷𝐵 , 𝐾𝐷𝐶



Generalizing this 𝑛 users 𝑛 · (𝑛− 1) ≈ 𝑛2, and the number of key pairs is:

𝑛(𝑛− 1)

2=

(︂𝑛

2

)︂Caution: This method is impractical for any network that is not static. I requres a large number of keys (quadratic),a mid size company generaly employes 750 people for example.(︂

750

2

)︂= 280, 875

A per user number is only 749 keys to store, however the keys need a trusted authority to generate them and pushthem out to everyone. Also, adding new users is complex. For example adding a new user, Noah, the admin mustgo to his PC and manually install the keys for him. Then he must go to every single other users PC and instal thekey to comunicate with Noah.

Key Distribution Center (KDC) Based Protocols: A more efficient means of distributing keys. This method involvesusing a central “trusted authority” (KDC (Key Distribution Center)) that shares one key with every user. Each persononly stores their own key and a central database stores all keys.

Alice → 𝐾𝐴

Bob → 𝐾𝐵

KDC → 𝐾𝐴, 𝑘𝐵

Alice sends a request to communicate with Bob to the KDC:

RQST(ID𝐴, ID𝐵) → KDC

The KDC generates a session keys, 𝐾𝑠𝑒𝑠, for Alice and Bob and encrypts them both:

𝑌𝐴 = 𝑒𝐾𝐴(𝐾𝑠𝑒𝑠)

𝑌𝐵 = 𝑒𝐾𝐵(𝐾𝑠𝑒𝑠)

The KDC sends both encrypted keys to Alice:

KDC → 𝑌𝐴, 𝑌𝐵 → Alice

Alice decrypts 𝑌𝐴 using 𝐾𝐴 the key she shares with the KDC to obtain the session key:

𝐾𝑠𝑒𝑠 = 𝑒−1𝐾𝐴

(𝑌𝐴)

Alice encrypts using the session key, but note that she can not do anything with 𝑌𝐵 here, and sends the ciphertextoutput to Bob:

𝑒𝐾𝑠𝑒𝑠(𝑥) → 𝑦 → Bob

Bob receives the ciphertext but does not have the session key to decrypt it. To obtain the session key he decrypts 𝑌𝐵 .

𝐾𝑠𝑒𝑠 = 𝑒−1𝐾𝐵

(𝑌𝐵)

Finally Bob decrypts with the session key and obtains the message plaintext from Alice:

𝑒−1𝑘𝑠𝑒𝑠

(𝑦) → 𝑥

Advantages: Key pairs are only one per user or 𝑛 keys giving linear complexity. This is a very good property. Thenumber of static keys are 2𝑛 which is much more manageable. When adding a new user only that user needs his keyand the KDC database. Secure channels are only established ahead of time from the user to the KDC, the KDC thenmanages the creation of all secure channels from there.

Weaknesses



1. The system has a single point of failure, the KDC. If an attacker compromises the KDC then there is completesystem failure.

2. No “Perfect Forward Secrecy” (PFS): When it has been known that one user was compromised the user key canbe changed after which Oscar no longer can compromise that users communications. Although, Oscar havingstored 𝐾𝐴 and 𝑌 he can still compromise all messages ever sent with that key. So here a single attack negatesthe security of the system over all time if there were never any key changes. If the KEKS (Key EncryptionKeys) are compromised all past communication can be decrypted.

3. Replay Attack

4. Key Confirmation Attack

The best that can be done to mitigate the single point of failure weakness the KDC can be made very secure.

Remarks

• The permanent keys here, {𝐾𝐴, 𝐾𝐵 , 𝐾𝐶 , 𝐾𝐷, ...} are called “Key Encryption Keys (KEKs)” after the factthat they are not used to encrypt messages but only as a means to establish a temporary session key.

• KDC is the basis for Kerberos.

Man-in-the-Middle (MITM) Attack This is the most important aspect of key distribution for everyone, includingpeople who have no specialization in security, to be aware of. It would be beneficial for even muggles to have a highlevel understanding of this to give them some sort of justification to stop themselves from doing dumb things on theweb that leads to the harm of themselves and others. As long as Oscar is only a passive attacker the Diffie-Hellmanwe have seen so far is secure. If Oscar is an active attacker, he can not only listen but manipulate packets in transit,the system is broken as is.

Diffie-Hellman Revisited, with an Active Attacker Alice setup:

𝐾𝑝𝑟 = 𝑎

𝐾𝑝𝑢𝑏 = 𝛼𝑎 = 𝐴

Bob setup:

𝐾𝑝𝑟 = 𝑏

𝐾𝑝𝑢𝑏 = 𝛼𝑏 = 𝐵

Alice and Bob send each other their public keys, and Oscar intercepts and generates his own public keys with privatekeys he generated 𝑜1 and 𝑜2:

𝐴 → Oscar → 𝐴′ = 𝛼𝑜1 → Bob

𝐵 → Oscar → 𝐵′ = 𝛼𝑜2 → Alice

Alice and Bob calculate what they believe to be the shared key, but is a session key between them and Oscar:

𝐾𝐴𝑂 = 𝐵′𝑎 = (𝛼𝑜2)𝑎

𝐾𝐵𝑂 = 𝐴′𝑏 = (𝛼𝑜1)𝑏

Oscar also calculates the shared keys:

𝐾𝐴𝑂 = 𝐴𝑜2 = (𝛼𝑎)𝑜2

𝐾𝐵𝑂 = 𝐵𝑜1 = (𝛼𝑏)𝑜1



Oscar shares a session key with Alice and one with Bob. However, Alice and Bob still think they are talking privatelyto each other. Oscar now has full control over the communication between Alice and Bob.

Alice now encrypts using a very secure encryption standard, with what she thinks is 𝐾𝐴𝐵 but is really 𝐾𝐴𝑂 and sendsit to bob. If the message makes it to bob the decryption will not work, but Oscar intercepts and decrypts. At thispoint he can do anything he wants with the message from not forwarding it, to forwarding untouched after reading, toforwarding a manipulated copy to Bob:

𝑦 = 𝐴𝐸𝑆𝐾𝐴𝑂(𝑥) → 𝑦 → Oscar 𝐴𝐸𝑆−1

𝐾𝐴𝑂(𝑦) = 𝑥

Oscars options:

1. Do nothing, do not forward the message to Bob.

2. Forward it untouched, to do this he must encrypt it using his session key with Bob:

𝑦′ = 𝐴𝐸𝑆𝐾𝐵𝑂(𝑥) → 𝑦′ → 𝑥 = 𝐴𝐸𝑆−1

𝐾𝐵𝑂(𝑦′)

3. At the plaintext stage Oscar can manipulate the message before forwarding.

Important: The most important thing to know about this attack, is that this attack is a universal attack on public keycryptography. The Man in the Middle (MITM) attack works against all public key schemes.

The basis of the attack is that the public keys are not authenticated. Digital signatures alone are not a solution to theproblem, they use a public key for verification, and Oscar can also replace the verification key.

Certificates Using a cryptographic method that provides authentication the MITM (Man in the Middle) attack canbe mitigated. We currently have two methods of providing authentication, digital signatures and MACs. MACs arenot a good choice for solving the problem though because they use symmetric cryptography which would degrade toa public key setup re-introducing the problem we are trying to solve.

They solution comes with the use of digital signatures with a centrally trusted authority, or a Certifying Authority(CA). Certificates are just public keys.

Cert𝐴 = [(𝐾𝑝𝑢𝑏𝐴 , 𝐼𝐷𝐴), sig𝐾𝑝𝑟,𝐶𝐴(𝐾𝑝𝑢𝑏𝐴 , 𝐼𝐷𝐴)]

Diffie-Hellman With Certificates Alice and Bob setup:

𝑎 = 𝐾𝑝𝑟, 𝐴 = 𝐾𝑝𝑢𝑏

𝑏 = 𝐾𝑝𝑟, 𝐵 = 𝐾𝑝𝑢𝑏

Alice and Bob exchange public keys, where 𝑆 is the signature:

Cert𝐴 = [(𝐴, 𝐼𝐷𝐴), 𝑆𝐴] →Cert𝐵 = [(𝐵, 𝐼𝐷𝐵), 𝑆𝐵 ] →

Now before doing anything Bob will verify the signature using the public key:

Ver𝐾𝑝𝑢𝑏, 𝐶𝐴(Cert𝐴) = 𝑡/𝑓

𝐾𝐴𝐵 = 𝐴𝑏 = (𝛼𝑎)𝑏

And Alice can do the same verification:

Ver𝐾𝑝𝑢𝑏, 𝐶𝐴(Cert𝐵) = 𝑡/𝑓

𝐾𝐴𝐵 = 𝐵𝑎 = (𝛼𝑏)𝑎



If Oscar attempts to forward a fake public key 𝐴′ = 𝛼01 it will fail at the verification stage because the signature bythe CA is over Alice’s function. Here Oscar wants to compute a fake certificate, however this will fail for him withtouthaving the private key from the CA. These CA keys are also called root certificates. One way that the distribution isbeing managed is the public keys are being distributed pre-installed in browsers and products. Other ways that theycan be distributed is through trusted (print) publications.

Now the attack downgrades to generating any old public key knowing that the verification will fail, without waitingfor a muggle to hit the make it work button and bypass the security warning.

1.4.6 Solving the Hard Problem

The Double Edged Sword

of Mathematics in Cryptography


“Yet despite their apparent simplicity and fundamental character, prime numbers remain the most myste-rious objects studied by mathematicians. In a subject dedicated to finding patterns and order, the primesoffer the ultimate challenge.”

—Marcus du Sautoy

Note: Ported from the original LaTeX document very quickly may contain some typos or other small errors. Stillneeds proof reading, citation double checking, etc.

Perfect Secrecy and why it’s Unmanageable

On or around June 6, 1944 a pigeon carrying an encrypted message from Normandy, France back home to Englanddidn’t make it to his destination. Years later he was found in a chimney south of London with the message still attachedto his leg and intact. The message was sent to the British Government Communications Headquarters (GCHQ) inhopes of them having the ability to break the code, but it remains unbroken 4 . This is because it was encrypted usinga One Time Pad (OTP) which provides perfect secrecy. Perfect secrecy is a property that a cryptographic system canhave where from the ciphertext alone absolutely nothing can be found out about the plaintext. This does not mean thatit is necessarily impossible to decrypt without the key but anything that can be determined must be done without useof the ciphertext. Furthermore one can never be sure that their decryption is correct. See the actual message that wassent below.

There are some specific rules that must be followed for the for perfect secrecy to hold with the OTP if any one isbroken then the cipher is no longer unbreakable. The key must be as long as the data being encrypted, the key mustalso be truly random, and the key must be calculated modulo the base of the system being used to communicate. Forexample a OTP key for the English alphabet needs to be calculated modulo 26. Also each key must be used only onceand there must only be two copies, one for the sender and one for the receiver both of which destroy their keys afteruse. This is exactly how the military used the OTP during WWII and is why the message can not be decrypted today.It is also why it is not possible to to have perfect secrecy in daily communications.

The restrictions on the key being the same length as the message makes distributing the key to both parties impractical.If you have a secure way of sending something the same length of the message to the recipient then it would make moresense to just use that method to send the message itself. Also generating truly random numbers for the key is a verycostly procedure, which makes it completely unusable for any means of timely communication. Lastly that the key can

4

10. Zekany, “Decoding a carrier pigeon,” 2600 The Hacker Quarterly, vol. 31, no. 4, pp. 31–33, 2015.



Fig. 1.2: The actual message found by David Martin in 2012. It was in the chimney of a house south of London inBletchingley.



only be used once means that these keys must be inconveniently created and distributed for each individual message.This may have been possible for a military operation where code books were created and distributed carefully prior toa mission but it will never work for E-Mail.

Compromise of Security and Useability

In order to make cryptography manageable for everyday use a different type of security is needed. Today nearly allcryptographic algorithms used are only computationally secure. What this means is that their security is based on aproblem that is hard to compute, and the only way to break the encryption is to solve the hard problem that they arebased on. In 1 an excellent simplified algebraic example of this is given where an equation such as 𝐾𝑥 +𝑐1 = 𝐾𝑦+𝑐2,such that (𝑐1, 𝑐2) are arbitrary constants and (𝐾𝑥,𝐾𝑦) are the keys, offers little computational complexity for iteratingthrough large numbers of possible solutions very quickly, but something like (𝐾𝑥 · 2) · 𝑒 = (𝐾𝑦 ÷ 4) · 𝑒 offerscomparatively much more computational difficulty to generate different solutions. The most common computationalproblems in use today are the Discrete Logarithm problem, Diffie-Hellman problem, and RSA problem 2, 3.

While cryptosystems built using these properties makes their use feasible for everyday use in the day to day opera-tions of the Internet and communication, none of the mentioned problems have been proven to be hard. There mayexist some algorithm that is yet to be discovered that will solve the problems efficiently and if this happens then thecryptosystems that are based on them will be completely broken. This includes the algorithms that currently securenearly everything on the Internet. The effect that an efficient algorithm being found for one of these problems wouldhave is bringing all e-commerce to a complete halt and the Internet in general being in an unusable state until new thealgorithms have been replaced.

How Cryptosystems are Affected

Advances in mathematics threaten not only asymmetric encryption but also the security services it offers and evenmany uses of symmetric encryption used today.

Asymmetric Cryptography

The way asymmetric cryptography works is very different from the way locks work in the real world. It uses two keys,a public and private key. Imagine Bob has a box and two keys created in a manner where if the box is locked with onekey only the other second key can possibly unlock it. For example if Alice tells Bob she wants to send him a secretmessage, Bob sends Alice the box and only one key (the public key). Alice writes her secret message puts it in thebox and locks it with the key Bob sent. She then sends the box to Bob, and even if someone else copied the public keywhile it was in transit to Alice they can not open the box because only the private key, that only Bob possesses, canpossibly open the box. When Bob gets the box in the mail he unlocks it with his private key and can read the message.

Key Generation For example if Alice and Bob wanted to communicate privately over an insecure channel first theywould each generate a asymmetric key pair as shown graphically above and mathematically below. It is computation-ally easy to generate a key pair, while the inverse is thought to be hard and have no efficient algorithm that runs onconventional computers.

1 Klaatu, “Pretty good privacy,” 2600 The Hacker Quarterly, vol. 30, no. 4, pp. 30–49, 2014.2

1. Stamos, T. Ritter, T. Ptacek, and J. Samuel. (Dec. 4, 2013). The factoring dead: preparing for the cryptopocalypse. [Accessed November23, 2015], [Online]. Available: http://www.computerworld.com/article/2511969/security0/the-clock-is-ticking-on-encryption.html.

3

20. Simonite, Math advances raise the prospect of an internet security crisis, Web, [Accessed November 23, 2015], Aug. 2013. [Online].Available: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/.


http://www.computerworld.com/article/2511969/security0/the-clock-is-ticking-on-encryption.html

http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/


Fig. 1.3: Public Key Generation



Note: Generating a RSA public-private key pair:

1. Choose large primes 𝑝, 𝑞

2. 𝑛 = 𝑝 · 𝑞

3. Φ(𝑛) = (𝑝− 1)(𝑞 − 1)

4. Choose 𝑘𝑝𝑢𝑏 = 𝑒 ∈ {1, 2, ...,Φ(𝑛) − 1} : gcd(𝑒,Φ(𝑛)) = 1

5. Compute 𝑘𝑝𝑟 = 𝑑 : 𝑑 · 𝑒 ≡ 1 mod Φ(𝑛)

In the figure above step 3 Φ(𝑛) is simple to calculate only with knowledge of the prime factorization. Step 4 is simplya condition that guarantees an inverse (decryption key).

Fig. 1.4: Public Key Cryptography

Encryption The way that the key pair functions is when either the private key or public key encrypts only the otherkey can decrypt as shown in the figure above. Mathematically this works by raising the plaintext, 𝑥, to the public keyexponent 𝑒 and then modulo reduction by the other value of public key 𝑛. See the complete equation below.

Note: Given:

𝑘𝑝𝑢𝑏 = (𝑛, 𝑒), 𝑥 ∈ Z𝑛 = {0, 1, ..., 𝑛− 1}

Encryption:

𝑦 = 𝑒𝑘𝑝𝑢𝑏(𝑥) ≡ 𝑥𝑒 mod 𝑛



Decryption In order to decrypt the ciphertext is raised to the private key exponent, 𝑑, and then reduced modulo 𝑛.See the complete equation below.

What an attacker wants above all else is the decryption key 𝑑. What the attacker has available, form a passive per-spective, is the public key, (𝑛, 𝑒), and all ciphertext 𝑦. Given these elements for the attacker to recover 𝑑 they mustcalculate Φ(𝑛) which requires factoring a 1024 bit or larger number and by extension solving the RSA problem.

if an efficient algorithm is found for computing Φ(𝑛) then an attacker would be able to easily compute any private key𝑑 effectively breaking the entire encryption algorithm. This would also break any other encryption algorithm based onthe difficulty of factoring large composite integers.

Note: Given:

𝑘𝑝𝑟 = 𝑑, 𝑦 ∈ Z𝑛 = {0, 1, ..., 𝑛− 1}

Decryption:

𝑥 = 𝑑𝑘𝑝𝑟 (𝑦) ≡ 𝑦𝑑 mod 𝑛

How Security Services are Affected

Security services provide confidentiality, message authentication, message integrity, and non-repudiation. All of theseservices are also threatened by the advancing progress in mathematics.

Key Exchange

The Diffie-Hellman key exchange (DHKE) is an algorithm to exchange keys securely over an insecure channel. It isused in many protocols such as HTTPS, SSH, TLS, and SMTPS. The security of the algorithm is based on the discretelogarithm problem (DLP) and is distinct from the RSA problem of integer factorization. Currently the best algorithmto break each happens to be adaptations of the General Number Field Sieve (GNFS) but DH has a security advantageover RSA.

Diffie-Hellman key exchange’s application of the DLP allows it to generalized over cyclic groups beyond classicalDHKE’s multiplicative group over the prime field Z*

𝑝, which is also the group used by ElGamal and Digital SignatureAlgorithm (DSA). Should advances in mathematics improve the efficiency of solving the DLP in the cyclic group usedby classical DHKE it would be broken along with all other cryptographic algorithms based on the DLP for that group.This would not affect DHKE for other groups; however, such as the cyclic groups formed by an elliptic curve, themultiplicative group of a Galois field, or a Hyperelliptic curve.

The Discrete Logarithm Problem in Z*𝑝 Versus Generalized The DLP defined over the finite cyclic group Z*

𝑝 oforder 𝑝−1 with the primitive elements 𝛼, 𝛽 ∈ Z*

𝑝 consists of determining the integer 1 ≤ 𝑥 ≤ 𝑝−1 : 𝛼𝑥 ≡ 𝛽 mod 𝑝,or simply solving 𝑥 = log𝛼 𝛽 mod 𝑝. The ability to solve this problem would break every cryptosystem based on theDLP like DHKE. There has been gradual progress toward improving the efficiency of solving this problem and thathas lead to gradual growth in key sizes to offset the difficulty. If progress continues it may also show that even if theproblem is hard, it may not be hard enough to keep key sizes to a manageable length.

It is possible that there is another efficient way to break DH without solving the DLP that is still unknown. Solvingthe DLP is just what is currently the most efficient way. Luckily Diffie-Hellman can be generalized, and solutions tothe general DLP run much slower than the specialized algorithms that attack classical DH. The generalized DLP isdefined over a cyclic group (𝒢, ∘) and |𝒢| = 𝑛, such that the group cardinality is equal to 𝑛. The definition of the



problem is to find the integer 𝑥, where 1 ≤ 𝑥 ≤ 𝑛, such that:

𝛽 = 𝛼 ∘ 𝛼 ∘ 𝛼 ... ∘ 𝛼⏟ ⏞ 𝑥 times

=

{︃𝛼𝑥 ∘ = multiplication𝛼 · 𝑥 ∘ = addition

Because the DLP is not restricted to a single group specialized attacks will leave cryptosystems based on the DLPwith unaffected groups safe. The increased efficiency of attacks on DLP with Z*

𝑝 do not extend to Elliptic CurveDiffie-Hellman (ECDH). The elliptic curve DLP is not the same problem as the DLP modulo a large prime and theGNFS does not apply. This cryptographic diversity offers hope that migration to other algorithms may be an option ifa specialized solution to the DLP is found that breaks cryptosystems of a specific group. ECDH specifically is securewith keys many orders of magnitude smaller because the recent advances in mathematics do not affect the cyclic groupit is based on.

Digital Signatures

Digital signatures rely entirely on asymmetric cryptography and therefore are affected by the same problems as RSAand DH. Should an efficient algorithm be found to solve the problem that the cryptosystem is based on then it wouldalso render its signature algorithms broken. Luckily there exists cryptodiversity in signature algorithms also andvarious schemes have been adapted to signatures such as RSA digital signature, Digital Signature Algorithm (DSA),and elliptic curve based such as Elliptic Curve Digital Signature Algorithm (ECDSA).

Hash Functions

Cryptographic hash functions consist of two basic elements, a compression function and a domain extender. Thereexist many different forms of both compression functions and domain extenders and it is possible to create attacks thatwill weaken or break any given hash function based on either of the two.

If the compression function is based on a block cipher then any mathematical advances that are applicable to the blockcipher will also weaken the hash function. Similarly a new mathematical attack can affect a specific group of domainextenders.

Symmetric Cryptography

There exist two families of mathematical attacks on cryptosystems, analytical attacks and brute force attacks. Ana-lytical attacks seek to find a means to reduce the number of keys that must be tried by limiting the search throughdifferential cryptanalysis or linear cryptanalysis for example. Brute force attacks simply try every single possible key,this can also be done using specialized hardware. Security against brute force attacks lies simply in the size of thekeyspace and the time it would take to try every key, security against analytical attacks is much more complicated toassess.

For symmetric cryptography some of the analytical attacks that have impacted the security of block ciphers include dif-ferential, linear, and integral cryptanalysis, meet-in-the-middle attacks, and mod𝑛 cryptanalysis, but there is a greaterall encompassing threat. While improving these other attacks might break or weaken some symmetric ciphers thathave properties that allow them to be affected, the security of the asymmetric algorithms extends almost completely tosymmetric ciphers also.

Without a secure method to establish symmetric keys it would be unpractical to use symmetric encryption for nearly allof it’s applications in use today. If asymmetric cryptography should fall along with the solving of the Diffie-Hellman,Integer Factorization, or Discrete logarithm problem then key distribution for symmetric algorithms would also bebroken. This would for practical purposes leave symmetric cryptography good for little more than disk encryption.



Fig. 1.5: Symmetric Cryptography

Conclustion

Advances in mathematics are constantly getting better, gradually weakening cryptosystem. Until a cryptosystem basedon a problem with a proven hardness exists the best solution to this problem is cryptodiversity, or having a variety ofcryptosystems based on different underlying problems so that if one is broken it is possible to migrate to another. Thiswould be greatly complimented on the applied side with applications that allow easy migration from one cryptographicalgorithm to another.

1.4.7 Quantum Cryptography

It is no Silever Bullet


“If I have a little bit of free will, I can communicate in a secret way. If I don’t have free will, well, thensecret communication does not make sense does it.”

—Artur Ekert




The Quantum Age

The effects that quantum technology will have on technology leads to a lot of interesting articles. From quantumcomputer doomsdays destroying all uses of modern cryptography and introducing a dark age that reverts the Internetto the wild west it was in it’s early days where no one may shop in safety without owning a quantum computer toquantum cryptography being the unbreakable forever secure silver bullet for privacy and confidentiality. In realityneither is true, and quantum physics is not even even a proven science yet 1. The truth is more complicated than suchsimplifications and mostly unknown.

Quantum Computers and Codebreaking

Quantum computers will not solve all computational problems, they only provide a different set of constraints thatwill lend to improvements in some areas of computation. Quantum computers will have major implications for cryp-tography. While there is no definite time line for their development, there is currently an arms race driving theirdevelopment. With the implications they will have on cryptography and the modern value of information, not only tocorporations but also for militaries, this is not surprising. A working commercial product is still years away; however,they are coming 1, 2.

Cryptographic Implications The creation of a practical quantum computer will render all current mainstream cryp-tosystems broken including DES, AES, IDEA, and RSA 2, 3, 1. This will require a global shift away from nearly allencryption algorithms in use today, certainly all that are used by normal people transparently in day to day life, toeither quantum or post-quantum algorithms. Unfortunately most applications built today suffer from security af-terthought syndrome and are not developed with security in mind. Most will suffer from not being developed to havecryptographic agility.

The algorithms used for cryptanalysis hapen to, in general, lend themselves more to quantum computers than conven-tional. Quantum algorithms have the ablity to exploit a property of electronic encodings which is that they tend tobe vulnerable to analysis using set theory. Both the DES P-Box and S-Box can be constructed using simple quantumregister operations, and an entire DES decrypt function can be completed in microseconds. This can be leveragedto break systems such as DES and AES-256 in under a second, the expected speed up in general from conventionalcomputer codebreaking to quantum is on the order of 250 2.

Possibly the worst implication of quantum computers coming of age will be that of past correspondences becomingbreakable. The most important users of encryption, the journalists, whistleblowers, and activists, may be outed andpersecuted. This under normal circumstances would not be such a massive problem, but with the recent surge inadversarial power of organizations like the National Security Agency (NSA) it has become one. The NSA knowsthat this technology is coming of age soon and has been vastly expanding it’s long term data storage capacity withmulti-billion dollar facilities. Once the capability exists they will begin to decrypt years old messages and persecutingmore people.

Current State The quantum computer arms race has lead to the development of quantum computers using a varietyof different means and very different hardware designs. Despite this nearly all quantum algorithms will run on anygiven quantum computer despite the hardware differences. Also the input and output of quantum computers is limitedto the same as that of conventional computers. This leads to quantum algorithm focusing on the processing of smaller

1

18. Grimes, Quantum cryptography is the last, best defense, Web, [Accessed November 23, 2015], Aug. 2013. [Online]. Available:http://www.infoworld.com/article/2612240/security/quantum-cryptography-is-the-last–best-defense.html.

2

4. D’Rave, “Quantum computers for code breaking,” 2600 The Hacker Quarterly, vol. 31, no. 3, pp. 56–58, 2014.

3 Quantum cryptography: keeping your secrets secret, Web, [Accessed November 23, 2015], Mar. 2014. [Online]. Available:http://phys.org/news/2014-03-quantum-cryptography-secrets-secret.html.


http://www.infoworld.com/article/2612240/security/quantum-cryptography-is-the-last--best-defense.html

http://phys.org/news/2014-03-quantum-cryptography-secrets-secret.html


datasets, like a Fourier Transform, or set operations on relatively small objects 2. This limitation may be a largebottleneck in their codebreaking abilities.

Thermal noise is the primary limiting factor in quantum computer development today. It has lead to the requirementof very strong error correction measures which has further lead to restrictions on the types of algorithms that will workefficiently. Specifically combinatorial algorithms currently function better than recursive algorithms. The thermalnoise problem is currently the primary factor limiting quantum computers to working with only a few qubits reliablyand to be of use for codebreaking much more will be needed. Registers used for codebreaking tend to be of size 64qubits or larger, for example the 20 questions quantum algorithm for cracking DES like block ciphers requires a 56qubit quantum register, and two 64 bit classical registers 2.

Quantum Cryptography

Fig. 1.6: Quantum Key Distribution Protocol

Conventional cryptography is based on mathematical problems that are thought to be hard to solve, on conventionalcomputers at least. These problems have largely been taken from number theory. Quantum cryptography differsin that it uses the laws of quantum physics to build cryptosystems, specifically current implementations of quantumcryptography use the properties of entangled photons 11, 5, 4 although it is thought that other means may be possible.The differences between the two approaches lend themselves to constructs with very different properties, benefits,weaknesses, and strengths.

An example Quantum key distribution algorithm , between Alice and Bob, starts with Alice sending a key stream ofphotons to Bob. Each of the photons has an orientation that can be in any direction, see the arrows in the figure. Whensending the keystream to Bob, Alice passes the photons through polarizers that control the orientation of the photonsto only vertical, horizontal, 𝑝𝑖

4 , and 3𝜋4 , these orientations are combined to form two classifications rectilinear and

diagonal. As Alice sends the the keystream she switches the polarization between rectilinear and diagonal randomlyfor each photon sent, and one of the two possible directions of the photon for that polarizer is a 1 and the other a 0.For example with the rectilinear polarizer vertical could be chosen as a 1 and horizontal a 0 4.

11

4. D’Rave, “Crypto systems which resist quantum computers,” 2600 The Hacker Quarterly, vol. 31, no. 4, pp. 48–49, 2014.

5

1. Mann, Laws of physics say quantum cryptography is unhackable. it’s not, Web, [Accessed November 23, 2015], Jul. 2013. [Online].Available: http://www.wired.com/2013/06/quantum-cryptography-hack/.

4

13. Rouse, Quantum cryptography definition, Web, [Accessed November 23, 2015], Sep. 2005. [Online]. Available:http://searchsecurity.techtarget.com/definition/quantum-cryptography.


http://www.wired.com/2013/06/quantum-cryptography-hack/

http://searchsecurity.techtarget.com/definition/quantum-cryptography


Bob then receiving the key stream also chooses to measure each photon using either the rectilinear or diagonal detectorrandomly. On average, according to probability, Bob will choose correctly 50% of the time. Alice then sends Bobwhich polarizer she used, rectilinear or diagonal, when sending each photon but keeps their orientation a secret. Bobthen checks what he randomly chose to measure each photon with against this data and discards the bits for eachphoton he measured with the wrong detector. He then informs Alice which bits he measured wrong and she does thesame. They now have a shared key one half the length, on average, of the original keystream 4.

Potential Benefits

Quantum cryptography involves much less processing power than conventional cryptography and therefore is muchmore efficient to use. Unlike the mathematically intensive algorithms it simply involves sending, receiving, andmeasuring the state of some particles 5. This could have the benefit of being able to change keys much more frequentlywith little overhead involved, leading to much better security in the case of a single non-persistent key compromise. Itmay also enable the use of encryption for even more applications that were previously too costly performance wise.

Conventional cryptography, being based on the unproven hardness of mathematical problems, is constantly underattack from mathematical advances 6, 7. Quantum cryptography’s basis on the laws of physics offers an escape fromthis problem 5, 1. Quantum cryptography has provable security, that is there exists a proof showing the difficulty for anattacker to break the system. This offers a definite theoretical level of security; however, it does not take into accountside-channel attacks.

The greatest potential benefit arises out of this proven level of security and how great it is. It greatly reduces the levelof trust required in hardware, software, and networks or as Artur Ekert pioneer of quantum key distribution and RenatoRenner professor at ETH Zürich put it 8 “The days we stop worrying about untrustworthy or incompetent providersof cryptographic services may be not that far away.” This capability arises out of device-independent quantum cryp-tography, which is that the security of the protocol is unaffected by devices that are malicious. This is allowed byrandomness expansion and amplification that can be achieved using quantum devices but can not be done with classi-cal devices. The end result is essentially that it is not possible for an attacker to attempt to man-in-the-middle the keyexchange without Alice and Bob knowing.

Current State

Quantum key distribution was first proposed more than 20 years ago 3 and since then a lot of research has been doneon the theoretical security of the system which has been overwhelmingly positive. Unfortunately though, quantumcryptography in practice has been shown to be anything but secure 5, 1. Commercial implementations of quantum keydistribution algorithms have been available for years now, and successful attacks have been produced quickly such asthis example from five years ago 9, 10. The systems are also only practical for very specific use cases as they require a

6

20. Simonite, Math advances raise the prospect of an internet security crisis, Web, [Accessed November 23, 2015], Aug. 2013. [Online].Available: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/.

7

1. Stamos, T. Ritter, T. Ptacek, and J. Samuel. (Dec. 4, 2013). The factoring dead: preparing for the cryptopocalypse. [Accessed November23, 2015], [Online]. Available: http://www.computerworld.com/article/2511969/security0/the-clock-is-ticking-on-encryption.html.

8

1. Ekert and R. Renner, “The ultimate physical limits of privacy,” Nature, vol. 507, no. 7493, pp. 443–447, 2014.

9

22. Makarov, Cracking commercial quantum cryptography: how we did it, in pictures, Web, [Accessed November 20, 2015]. [Online]. Avail-able: http://www.iet.ntnu.no/groups/optics/qcr/hacking-commercial-quantum-cryptography-2010/.

10

12. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailoredbright illumination,” Nature photonics, vol. 4, no. 10, pp. 686–689, 2010.


http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/


http://www.iet.ntnu.no/groups/optics/qcr/hacking-commercial-quantum-cryptography-2010/


dedicated fiber optic line between the two endpoints and further is very limited in distance.

The greatest drawback is that without a practical quantum computer, or quantum storage device, this is only usefulfor key distribution. Encrypted data is still stored on traditional media which means if it is encrypted, it is done usingtraditional algorithms 11. The data is therefore still vulnerable to attacks by quantum computer algorithms. So even ifall side-channel attacks against quantum cryptography are mitigated an attacker could simply go after either the storedkey, or stored data, both of which will only be as secure as traditional cryptography can be.

Post-Quantum Encryption Today

The perfect secrecy of the one-time pad extends itself even into the quantum age. It is entirely secure against attacks byquantum computers, unfortunately like always it has key distribution problems that render it nearly useless. Quantumcryptography is also secure against attacks from quantum computers 11. But it is also possible to build quantumresistant cryptosystems that function on the principles of traditional cryptography.

The majority of quantum algorithms used for codebreaking can be guarded against by something as simple as havingmultiple keys. Quantum algorithms function much better when there is only one solution. An extremely simplifiedexample of the effects multiple valid keys can have on these algorithms is that they may start with a state vectorsomewhere in the solution space, then each iteration they measure the error between the goal and result and adjustfor it. This works great if there is only one solution but with multiple solutions it will prevent movement toward asingle goal, and the algorithm will be unable to find a solution. Other algorithms will terminate, like quantum Fouriertransform, however with a sufficient number of valid keys they will produce a superposition of all valid keys that is

unintelligible 11.

Characteristic ParameterBlock Size (bits) 512Key Size (bits) 1024# Valid Keys 2512

# Brute Force operations for 50% chance 2511

Security bits 512

Multiple key systems could be developed for both symmetric and asymmetric cryptosystems. For example a multiplekey RSA like system could be based on factoring large primes but instead of using two large primes it would use 𝑛,and if the factorization of a large prime is required the factors of any one would be suf. Also see table above for anexample of the characteristics of a theoretical multiple key block cipher.

Conclustion

While theoretically it is true that 8 “as long as some of our choices are not completely predictable and therefore beyondthe powers that be, we can keep our secrets secret”, it seems that at least so far as it has been proven in practice thanksto side-channel attacks due to imperfect implementations, as Edgar Allan Poe put so eloquently 12 “We say againdeliberately that human ingenuity cannot concoct a cypher which human ingenuity cannot resolve”.

1.4.8 Picking The Locks

Why try the Front Door,

if Someone Left the Window Wide Open


3. (a) Brigham, Edgar Allan Poe’s contributions to Alexander’s weekly messenger. The Society, 1943.



“Why it’s simply impassible!”

Alice: “Why, don’t you mean impossible?”

Door: “No, I do mean impassible. Nothing’s impossible!”

Lewis Carroll, Alice’s Adventures in Wonderland & Through the Looking-Glass


The Weakest Link

The security of cryptography for most algorithms does not have provable security, that is a proof showing beyonddoubt what is the least effort needed to break the cipher. Yet they are still trusted, this is because the algorithms arepublic and the entire community of cryptography academics attempt to discover vulnerabilities. After enduring somuch scrutiny from the cryptographic community an algorithm can be considered reasonably secure for use. The nowfamous phrase “trust the math” attributed to Bruce Schneier is now even sold on T-Shirts along with variations suchas “In Math We Trust.” But despite the math being sound, there are weak links in encryption protocols. As EdwardSnowden said 1 “Encryption works. Properly implemented strong crypto systems are one of the few things that youcan rely on” the key here is “Properly implemented” which eliminates the weak links.

There is no reason to solve a very hard mathematical problem if there are other unconventional means to attack animplementation of a protocol. These attacks that find some means around dealing with the math are called side channelattacks. This type of attack has successfully broken 4096-bit RSA for example 3 using just a microphone. Anotherattack vector is keyloggers 5 which make any type of passphrase using cryptographic system useless. It is even possibleto use accelerometers in compromised phones to steal passphrases 4.

Other attacks by more powerful adversaries include extra legal actions by organizations like the NSA to backdoor orcircumvent security systems 6, 7. They certainly would not go through the trouble of these attacks if the math was notsound. As further proof there have been various cases such as the FBI finding ways to steal stored keys than simplybreaking the encryption 8.

1 Edward snowden: nsa whistleblower answers reader questions, Web, [Accessed December 4, 2015], Jun. 2013. [Online]. Available:http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower.

3

1. Sebastian, Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s cpu, Web, [Ac-cessed November 23, 2015], Dec. 2013. [Online]. Available: http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu.

5

14. Pathak, A. Pawar, and B. Patil, “A survey on keylogger: a malicious attack,” International Journal of Advanced Research in ComputerEngineering & Technology (IJARCET), vol. 4, no. 4, pp. 1465–1469, Apr. 2015.

4

4. Damopoulos, G. Kambourakis, and S. Gritzalis, “From keyloggers to touchloggers: take the rough with the smooth,” Computers & Security,vol. 32, pp. 102–114, 2013.

6

20. Simonite, Nsa leak leaves crypto-math intact but highlights known workarounds, Web, [Accessed November 23, 2015], Sep. 2013. [Online].Available: http://www.technologyreview.com/news/519171/nsa-leak-leaves-crypto-math-intact-but-highlights-known-workarounds/.

7

19. Rambam, “You’ve lost privacy, now they’re taking anonymity (aka whistle-blowing is dead - get over it),” (Hotel Pennsylvania, Jul. 18–20,2014), Talk given at the biennial HOPE (Hackers on Planet Earth) Conference, NYC, NY, Jul. 19, 2014.

8

12. Wood, The clock is ticking on encryption, Web, [Accessed November 23, 2015], Dec. 2010. [Online]. Available:http://www.computerworld.com/article/2511969/security0/the-clock-is-ticking-on-encryption.html.


http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower

http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

http://www.technologyreview.com/news/519171/nsa-leak-leaves-crypto-math-intact-but-highlights-known-workarounds/



Fig. 1.7: NSA intercepting and tampering with a router.

Wi-Fi: Exploiting the Weakest Link

The Evolution of Wi-Fi

Cryptography and cyber security in general is an iterative process. Over time new attacks and weaknesses are found,both in math and implementation, and those are corrected. Sometimes better means are developed reactively andsometimes proactively, and the evolution of Wi-Fi security and encryption follows this pattern.

From WEP to WPA2 Wired Equivalent Privacy (WEP) was born in 1999 with IEEE 802.11. It uses a 40 or 104 bitkey along with a 24 bit Initialization Vector (IV), and the RC4 stream cipher. It only took two years to be broken, andtoday with tools like aircrack-ng it can be broken in seconds simply by listening to traffic. As of 2004 WEP has beenreplaced with Wi-Fi Protected Access II (WPA2) in the IEEE 802.11i standard 9.

Wi-Fi Protected Access (WPA) was designed to be backwards compatible with the hardware that WEP algorithms ranon which required the use of WEP’s RC4 to encrypt traffic. While the addition of the Temporal Key Integrity Protocol(TKIP) no longer allows the system to be broken by simply listening, in 2008 an attack on TKIP was released whichallows an attacker to send some chosen packets by exploiting WPA’s Message Integrity Check (MIC) which was usedto replace WEP’s CRC-32 9.

WPA2 uses the same 8-63 character Pre-Shared Key (PSK) as WEP; however, it avoids the problems of WEP and WPAby replacing both the TKIP and RC4 with AES-Counter Mode CBC-MAC Protocol (AES-CCMP) which restrictsAES to 128 bits. AES-CBC mode providing robust protection against patterns being found and CBC-MAC providingexcellent message integrity 9.

Authentication for WPA2 consists of a 4-way handshake between the client station (STA) and an access point (AP).The protocol used to establish a Pairwise Master key (PMK) is the Extensible Authentication Protocol over LAN(EAPoL). This is done with 4,096 iterations of the PSK salted with the AP’s ESSID through the Password-Based

9 ternarybit, “Wi-fi security: attack and defense,” 2600 The Hacker Quarterly, vol. 30, no. 4, pp. 18–23, 2013.



Key Derivation Function (PBKDF2), which uses the HMAC-SHA1 hashfunction. The 256 bit PMK is then used togenerate session key called the Pairwise Transit Key (PTK) 9. Knowing the PMK completely breaks the system andallows an attacker to decrypt all traffic by deriving each individual PTK.

Rainbow table attacks are prevented by the salting of the PSK with the ESSID and many iterations of HMAC-SHA1ensures that generating PMKs is expensive. Both of these disigns grant a high resistance to brute force attacks.

WPA2 Side Channel Attacks

Despite WPA2’s secure on paper cryptographic protocol, there exist side channel attacks that can be exploited. Due toboth human and manufacture error, negligence, and complacency. Both the use of weak passphrases by users and baddefault settings, which most people will never change, from manufactures can break the security of WPA2.

Attacking EAPol Handshakes Reauthenitcation is required every so often between WPA2 STAs and APs, it canalso be coerced by sending deauthentication packets to a STA. There are many tools to eavesdrop on EAPol Hand-shakes such as airodump-ng and is as simple as the following code.

airmon-ng start <interface>airodump-ng -w <output file> <interface>

After capturing the handshake a dictionary attack can be ran, with software such as aircrack-ng, to attempt to de-termine the PSK. dictionary attacks are a sort of side channel attack that exploits the human component of appliedcryptography, even if the cryptographic system is solid a user with a weak password will be a weak link that can beexploited to bring down the entire system. True brute force attacks are not possible due to the large keyspace, althoughrecently tools like pyrit have been able to massively increase the size of dictionaries that can be ran by leveragingGPUs. The following pseudocode shows how simple it is to initiate an attack on the already captured handshake.

pyrit -i <path to dict> import_unique_passwordspyrit -r <caturedHandshake.cap> attack_batch

Now it is simply a waiting game and if there exists a matching PSK in the dictionary file a PMK can be derived.

Breaking WPA2 Default Configurations Recent modem and AP combo devices from AT&T DSL come pre-configured with WPA2-AES/CCMP which is a good default, but there is also a default PSK with a finite numberof possibilities that can not only be pre-computed, but in only days using a standard computer. Like many othercompanies they ship with highly recognizable ESSIDs following a pattern “ATT###” where ### can be any 3 digitnumber, needless to say the number of possible salts here is not very high. The list of all possible 10 digit numericonly passwords, the exact length of all default passwords, can be created easily using crunch with only 102GiB ofstorage 9. Running the following pseudocode where min and max set range of digits of the output, and char setis the list of all possible characters will generate every numeric 10 digit passphrases.

crunch <min> <max> <char set> -o <path> START

To attack with pyrit simply run the same pyrit code above and direct it to import crunch’s output and run against acaptured handshake from the AT&T device.

Other Attacks

AT&T is by no means the only company with vulnerable default configurations, there exist similar attacks against thedefault configuration of Netgear and other routers also. Even worse an auto-configuration tool deployed in 2007 calledWi-Fi Protected Setup (WPS) is terribly flawed. The attempt to create a more user friendly experience, which again issecure on paper, was implemented very poorly resulting in an attack that guarantees to reveal any PSK. Disabling WPS



and using WPA2-AES/CCMP with a strong passphrase does offer excellent security. This would drive most attackerssimply move on to another target or attempt other methods.

Conclustion

Keeping data secure requires not only math you can trust but also a solid implementation and physical security 3. Ifan attacker can exploit any sort of easier and more direct means to compromise the data they want they will, it is fairlyeasy to gain access to nearly any system today and get access to stored data and potentially even the keys 10. Althoughthere will always be some sort of risk thanks to Mayfield’s Paradox 11, which states that both the cost of keepingeveryone out of a system and the cost of getting everyone into a system is infinite, while in-between the two extremescosts are manageable.

There exists an even greater threat than that to individuals and companies though, that is the threat to democracy itself.Thanks to the exploitation of side channel attacks by the National Security Agency (NSA) 6, 7 and the current state ofdealing with people who speak out against unconstitutional abuses of power the spy agencies have gained too muchpower. As Edward Snowden said 2 “The government has developed an exploit chain that provides basically the rootpassword to our constitution. They’ve escaped the sandbox of our democracy and they’re basically using it to changeour Bill of Rights without us seeing it.”

1.4.9 Glossary


Independence The next output can not be computed if the previous output is known or it is impossible to compute𝑋𝑛+1 if 𝑋𝑛 is known.

Initialization Vector, Initialization Vectors A fixed size input to a cryptographic primitive that is used to preventthe repitition of two identical states. This allows the repeated use of a cryptosystem using the same key withoutgenerating the exact same output.

Some systems may require the IV (Initialization Vector) be random and others only that it does not repeat, is anonce.

IV See Initialization Vector.

NONCE (number used once) A number who is used only one time, sometimes used as a way to refer to a particulartype of Initialization Vector.

Preimage Sometimes used to refer to function input input.

Secure Socket Layer see Transport Layer Security.

SSL (Secure Socket Layer) see Transport Layer Security.

TLS (Transport Layer Security) See Transport Layer Security.

10

18. Grimes, Quantum cryptography is the last, best defense, Web, [Accessed November 23, 2015], Aug. 2013. [Online]. Available:http://www.infoworld.com/article/2612240/security/quantum-cryptography-is-the-last–best-defense.html.

11 “Mathematical proofs of mayfield’s paradox: a fundamental principle of in-formation security,” ISACA, vol. 2, 2001, [Accessed Decem-ber 4, 2015]. [Online]. Available: http://www.isaca.org/Journal/archives/2001/Volume-2/Pages/Mathematical-Proofs-of-Mayfields-Paradox-A-Fundamental-Principle-of-Information-Security.aspx.

2

5. Snowden and D. Ellsberg, “A convewrsation with edward snowden,” (Hotel Pennsylvania, Jul. 18–20, 2014), Talk given at the biennialHOPE (Hackers on Planet Earth) Conference, NYC, NY, Jul. 19, 2014.


http://www.infoworld.com/article/2612240/security/quantum-cryptography-is-the-last--best-defense.html

http://www.isaca.org/Journal/archives/2001/Volume-2/Pages/Mathematical-Proofs-of-Mayfields-Paradox-A-Fundamental-Principle-of-Information-Security.aspx

http://www.isaca.org/Journal/archives/2001/Volume-2/Pages/Mathematical-Proofs-of-Mayfields-Paradox-A-Fundamental-Principle-of-Information-Security.aspx


Transport Layer Security Cryptographic protocols designed for securing communications over a network, by pro-viding privacy and data integrity between applications.

Uniform Distribution The probability of each item in a squence appearing is equal or uniform. For digital data thismeans the probability of generating a 0 or a 1 is the same and that as the amount of data being analized aprochesinfinity the percentage of occurances of each will converge to 0.5 or 50%. In the English alphabet this wouldmean each letter appears 1

26 of the time in an infinite amount of text output.

1.5 Information Security

Blue Team

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in alead-lined room with armed guards.”

—Gene Spafford

Red Team

“The rule is, not to besiege walled cities if it can possibly be avoided. The preparation of mantlets,movable shelters, and various implements of war, will take up three whole months; and the piling up ofmounds over against the walls will take three months more.”

—The Art of War, Sun Tzu



1.5.1 Network Architecture

date 18 January, 2016

“The Domain Name Server (DNS) is the Achilles heel of the Web. The important thing is that it’s managedresponsibly.”

—Tim Berners-Lee

Introduction

The Internet is a network of networks, and while it has structure there is no centralized point it stems from, nocentralized authority. The architecture of the internet allows different types of networks to communicate and is basedon a sort of hierarchical structure. As seen below in the map of the Internet the structure is an organic interconnection

1.5. Information Security 89

https://en.wikipedia.org/wiki/File:CIAJMK1209.png


much like the nervous or cardiovascular system of a living being. Also like a living being it responds to attacksdefensively, as John Gilmore said “The Net interprets censorship as damage and routs around it.”

Anti Censorship is perhaps one of the most important areas in Information Security, the defense of information accessand by extension the freedom of society. In order to understand the tools used for such ends such as Tor, and the vastmajority of computer security in general, an in depth knowledge of Internet architecture is a requirement.

Fig. 1.8: An Opte Project visualization of routing paths through a portion of the Internet.

As shown in the Internet architecture figure, at the top of the Internet hierarchy sits the global ISPs who provideservice to regional ISPs, mobile networks, possibly very large corporate, government, academic institutions withspecial needs. The regional ISPs provide Internet service to end users, small business, mobile, and possibly largerinstitutions. Together the global ISPs, regional ISPs, maintain the links to the Internet backbone which are usuallyconstructed with a mesh topology (any to any connections).



Below the ISPs are the access networks where end users are. This consists of home networks, schools, small busi-nesses, mobile, and so on. Also though are possibly large institutions, who for various reasons may have built theirown core network which is likely connected to the public network at some point.

Largely home networks will look something like the example below. Simply a modem connecting to an ISP byeither fiber, DSL, coaxial, or (hopefully not) a phone line. A router with a baked in firewall that allows both wirelessand wired connections is the norm, although typical home network routers with default settings are (usually) highlyvulnerable and easy to identify. There of course are exceptions to this, there is no reason a home network can not bepartitioned with different subnets or have any type of internal structure the owner wants.

Although end users are free to have any type of internal network they would like, ISPs generally block certain portsfor various reason ranging from security to greed. For example some of Cox Communications’s list of blocked portsfor residential subscribers includes:


http://www.cox.com/residential/support/internet/article.cox?articleId=\protect \T1\textbraceleft cacf82f0-6407-11df-ccef-000000000000\protect \T1\textbraceright


port Transport Protocol Direction25 TCP SMTP Both80 TCP HTTP Inbound135 UDP NetBios Both1433 TCP MS-SQL Inbound1900 UDP MS-DS/NetBios Both

Fig. 1.9: A typical home network.

The home network is an example of a LAN which consists of a locally managed computer network. LANs may consistof one or more subnets but are limited to a small area such as a residence or a single building. It is possible to connectrouters in various ways to form subnets including wireless and wired. A good breakdown of the different ways toconnect various parts of a network can be found on the dd-wrt linking routers page which provides a high overview ofthe common ways routers can be linked.

Fig. 1.10: A network partitioned with subnets.


http://www.dd-wrt.com/wiki/index.php/Linking_Routers


Wireless networks are everywhere today from coffee shop WiFi to at home. It is no longer possible to get a phonewithout a data plan. Wireless networks use access points that are capable of using radio frequency and antennas tocreate data connections with devices. Once the data is exchanged with the device it travels by wire through the networklike normal, although there is no reason multiple wireless hops could not be in the route. The IEEE 802.11 standardsdefine wireless technologies which provide different trade offs in performance such as range, object penetration, andspeed. The most common frequencies for home routers currently are 2.4 GHZ and 5 GHZ, and worldwide GSM isvery popular for cell phone networks.

Fig. 1.11: Two most common types of wireless networks.

Special considerations must be taken for securing wireless networks, and because of the extra risk involved with themit is important to consider if their benefit outweighs the risk. There may be ways to reduce the amount of wirelessaccess points or eliminate them completely. For example it is unlikely that a home networks WiFi signal is limitedto the home itself meaning that physical access is not required to attempt to compromise the network. In apartmentcomplexes there may be ten or even more people who could attempt to compromise the network from home.

Even if this may seem unlikely it is also possible someone wardriving could decide to attack a home network, es-pecially if it is known to be a weak default configuration. There is automated software for wardriving that performsservices such as automatically logging information on all networks discovered, location, if they are likely to be usingdefault configurations, and so on. It is also very easy to create homebrew tools that perform similar actions.

Internet Protocol Stack

Each of the five layers has its own job and depends on the others to do theirs. As packet moves through the stack eachlayer appends a header to the packet and for the sake of differentiating between the headers they are given differentnames. The headers contain the information needed to route the packet to its final destination, like the address on anenvelope. For a node to process a layer it must process all lower layers.

Layer Name Layer # Header Name Primary FunctionApplication Layer 5 Message FTP, SMTP, HTTPSTransport Layer 4 Segment TCP, UDPNetwork Layer 3 Datagram IP, Routing ProtocolsData Link Layer 2 Frame EthernetPhysical Layer 1 Manchester Encoding


https://en.wikipedia.org/wiki/IEEE_802.11


Different devices need to process information from different levels of the protocol stack, notably the sender mustalways append all header information and the receiver also must process all layers. Routers only need up to thenetwork layer and link-layer switches only need to process data up to the link layer. At least, that is all they should beprocessing.

Another possible security concern here is for Deep Packet Inspection (DPI) devices. Can the Internet be trusted to onlylook at the bits they need to? Absolutely not, not even ISPs can be trusted. DPI is used for data mining, eavesdropping,and censorship.

Application Layer

Services for network application developers such as:

• File Transfer Protocol (FTP)

• Send Mail Transfer Protocol (SMTP)

• Hypertext Transfer Protocol (HTTP)

• Hypertext Transfer Protocol Secure (HTTPS)

It is based on a client-server architecture, the server which responds to clients and the clients that may request servicesfrom the servers. The client must initiate communications but must not always remain online, the server on the otherhand values availability very highly as it is unknown at what time any given client may request a service. Servers alsotypically have fixed IP addresses, another thing that is normally not available with residential service from an ISP.Residential accounts normally have a dynamic IP address verses a static IP address.

Hypertext Transfer Protocol (HTTP) The primary protocol of the Internet and essential to many attacks. HTTPhas two types of messages, request and response. The client sends a request to a server and the server responds withthe page or resource requested if it is found.

Domain Name System (DNS) Resolves hostnames (www.readthedocs.org) to IP addresses which is(162.209.114.75) for me today. DNS is basically just a distributed database that holds the mappings of hostnamesto IP addresses for the Internet. It consists of:

• Resolving (Local) Name Servers

• Root Name Servers

• TLD Name Servers

• Authoratative Name Servers

Transport Layer

The transport layers focus is on data transfer between hosts such as with TCP, and UDP. The host’s transport layerbreaks up the messages into segments and attaches it’s header and passes the segment to the network layer. The server’stransport layer receives the segment from the network layer and handles it according to the protocol being used.

Sockets Sockets are programming interfaces between the application and transport layers. Sockets get associatedwith a particular application and port, the port number is stored in the transport layer header so the packet can be givento the correct application.

UDP sockets are addressed by a two-tuple (IP address, port number), which can be seen in the code for tcp_client.pyand tcp_server.py below actually stored in a two-tuple as (target_host, target_port), and (bind_ip,



Fig. 1.12: How a packet travels through the protocol stack and what headers differnt devices read.



bind_port). TCP is addressed by a four-tuple (IP address, target port, source IP, source port) the two-tuple worksbelow for TCP because the python module socket handles the rest.

UDP packets sent to the same server, even from different clients, will all be delivered to the same socket becausethere is no association between the connection and an application. It is a connectionless protocol. TCP associates aconnection with applications and therefore packets sent to the same server port from different clients will be deliveredto whatever application they are associated with.

It is past time to look at some code now:

Listing 1.3: tcp_client.py

import socket

def main():

target_host = "www.readthedocs.org"target_port = 80

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)client.connect((target_host, target_port))client.send(b"GET / HTTP/1.1\r\nHost: readthedocs.org\r\n\r\n")

response = client.recv(4096)

print(response)

if __name__ == "__main__":main()

The code is fully functional and can be downloaded and ran to see what any site returns just by changing thetarget_host. It is well commented and the download link is the caption. Running this code as is currentlyreturns:

$ python tcp_client.py

b'HTTP/1.1 302 Moved Temporarily\r\nServer: nginx/1.4.6 (Ubuntu)\r\nDate: Sun, 24 Jan 2016 05:49:34 GMT\r\nContent-Type: text/html\r\nContent-Length: 169\r\nConnection: keep-alive\r\nLocation: https://readthedocs.org/\r\nX-Frame-Options: DENY\r\nX-Deity: web03\r\n\r\n<html>\r\n<head><title>302 Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>302 Found</h1></center>\r\n<hr><center>nginx/1.4.6 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n'

Looks like these pages are being served up by a Nginx server running on Ubuntu.

Transport Control Protocol (TCP) TCP is used when a reliable connection is needed, the protocol ensures that alldata reaches the destination and in the right order. It will also ensure that data isn’t sent quicker than the server canhandle. All of that slows down the data transfer speeds though, UDP is only chosen over TCP when both speed isneeded and accuracy is not.

A TCP connection is set up with a 3-way handshake, the connection must be requested, opened, and closed accordingto the rules. A server generally listens passively like in the example tcp_server.py below waiting for another computerto actively send a connection request. TCP assigns each segment sent a sequence number and the receiver mustacknowledge every byte it gets. If the segment is part of the 3-way handshake establishing the connection the sequencenumber is that of the first byte to be sent minus one and called the ISN (Initial Sequence Number). The 3-wayhandshake steps are as follows:

1. Alice sends:

• SYN (Synchronize) = 1

• ACK (Acknowledge Request) = 0


http://docs.python.org/3.4/library/socket.html#module-socket


• Sequence Number = X (Alice’s ISN)

2. Bob receives and returns:

• SYN = 1

• ACK = 1

• Sequence Number = Y (Bob’s ISN)

• Acknowledgment Number = X (Alice’s ISN)

3. Alice sends acknowledgement to Bob for his ISN:

• SYN = 0

• ACK = 1

• Sequence Number = X+1 (Alice’s ISN + 1)

• Acknowledgment Number = Y (Bob’s ISN)

After the 3-way handshake the synchronize phase is done and data is transmitted using the same send, receive, andacknowledge scheme. Each open TCP connection eats up some resources on the server as shown in the exampletcp_server.py below with the call client_socket.recv(1024) which is allocating a buffer for receiving data.Although the number of connections can be limited, server.listen(3) limiting the number of inbound connec-tions to 3, it is still a DOS attack vector.

Listing 1.4: tcp_server.py

import socketimport threading

def main():

bind_ip = "0.0.0.0"bind_port = 9999

server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)server.bind((bind_ip,bind_port))server.listen(3)

print("[*] Listening on %s:%d" % (bind_ip,bind_port))

while True:

client,addr = server.accept()print("[*] Accepted connection from: %s:%d" % (addr[0],addr[1]))client_handler = threading.Thread(target=handle_client,args=(client,))client_handler.start()

def handle_client(client_socket):

request = client_socket.recv(1024)print("[*] Received: %s" % request)client_socket.close()



if __name__ == "__main__":main()

If this is run and the target_host and target_port for tcp_client.py is changed to connect to it on 0.0.0.0the following is the output:

[*] Listening on 0.0.0.0:9999[*] Accepted connection from: 127.0.0.1:42346[*] Received: GET / HTTP/1.1Host: readthedocs.org

As is seen here even though in the tcp_client.py code client.connect((target_host, target_port))the clients IP address and port are not explicetly sent, the server receives this information.

Network Layer

The network layer is primarily concerned with routing packets from source to destination (IP, routing protocols).While everyone is free to partition their internal networks anyway they please (assuming NAT (Network AddressTranslation) is used), this is not true for the external address for incoming datagrams to the network layer. Just likehouse numbers must be labeled in a way that packages can be delivered in some structured manner so must InternetIP addresses. Also like anyone can number the doors inside their building for internal addressing any way they wantwithout affecting this system so can network administrators. This is where edge routers differ from the others.

IP Addressing It may be best to use a private IP range specified by ICANN though:

• 10.0.0.0 - 10.255.255.255

• 172.16.0.0 - 172.31.255.255

• 192.168.0.0 - 192.168.255.255

There are some other special IP addresses too:

• Broadcast (sent to all hosts on network)

– Take the hosts IP address and set any ‘0’ bits in the subnet mask to ‘1’

– 255.255.255.255

– 129.152.255.255

• All 0’s host ID refers to the netowrk itself.

– 129.152.0.0

• Autoconfiguration.

– 169.254.0.0 - 169.255.255.255

• Adresses beginning with 127 are loopback addresses.

– 127.0.0.1

Note: This is how tcp_server.py told us we were talking to ourselves when it told us:

[*] Accepted connection from: 127.0.0.1:42346

The address class system divides IP addresses into the following:

• Class A:



– First 8 bits are the address (Network ID).

– Final 24 bits are the host ID.

– Small number of Class A addresses available.

– Very large number of hosts possible (224).

• Class B:



– Moderate number of Class B addresses available.

– Moderate number of hosts possible.

• Class C:



– Large number of Class C addresses available (224).

– Small number of hosts possible (254 due to unusable special addresses).

Class Begins With (Binary) Dotted Decimal Excluded AddressesA 0 0 - 127 10.0.0.0 - 10.255.255.255B 10 128 - 191 127.0.0.0 - 127.255.255.255C 110 192 - 223 192.168.0.0 - 192.168.255.255

Network Address Translation (NAT) This is the clever way that the host number cap based on the address classsystem is bypassed allowing the freedom to setup internal networks with IP Address that do not need to be uniquefrom every address on the internet. If the edge device is acting as a DHCP for the internal network only it needs tohave an unique IP address from the ISP and it can act like a proxy for the internal devices. The edge router receivesthe incoming and outgoing traffic and translates it between the Internet and local spaces.

NAT also provides the benefit of obscuring the nature of the internal network. This increases security because whena connection is made by a device behind the NAT device the NAT device makes the connection instead. This canhelp to prevent attackers from learning about the local network. NAT devices also usually assign address from thereserved private range which furthers security by making internal devices only reachable through address translation.One common way past this though is for an attacker to attempt to get a client to initiate the connection letting theminto the network, such as by sending links which lead to attacks such as cross site scripting.

Routing The main functions of the network layer are routing and forwarding. Let’s take a look at this in action withtracerout (slightly censored) I wonder who readthedocs uses for hosting:

$ traceroute readthedocs.orgtraceroute to readthedocs.org (162.209.114.75), 30 hops max, 60 byte packets1 my-router-1 (192.168.2.1) 0.834 ms 0.896 ms 0.992 ms2 my-router-2 (192.168.1.1) 16.765 ms 493.705 ms 530.651 ms3 10.11.96.1 (10.11.96.1) 543.725 ms 543.795 ms 543.815 ms4 100.127.41.66 (100.127.41.66) 543.839 ms 544.827 ms 544.847 ms5 172.22.51.92 (172.22.51.92) 544.949 ms 544.882 ms 544.983 ms6 ashbbprj02-ae2.0.rd.as.cox.net (68.1.4.139) 548.694 ms 553.613 ms 541.464 ms7 69.20.1.10 (69.20.1.10) 553.511 ms 24.244 ms 24.214 ms8 * * *9 coreb-dcpe2.iad3.rackspace.net (69.20.2.173) 39.154 ms corea-dcpe1.iad3.rackspace.net (69.20.2.161) 39.216 ms coreb-dcpe2.iad3.rackspace.net (69.20.2.173) 38.664 ms10 corea-core8.iad3.rackspace.net (69.20.2.99) 39.297 ms coreb-core8.iad3.rackspace.net (69.20.2.115) 39.103 ms corea-core7.iad3.rackspace.net (69.20.2.97) 39.231 ms



11 core8-aggr403b-6.iad3.rackspace.net (72.4.122.47) 38.389 ms core8-aggr403a-6.iad3.rackspace.net (72.4.122.45) 31.223 ms core8-aggr403b-6.iad3.rackspace.net (72.4.122.47) 29.268 ms12 readthedocs.org (162.209.114.75) 26.784 ms 25.336 ms 25.272 ms

Routers use protocols to attempt to find the best path to any given destination. Each router maintains routing tables thathelps the router to figure out what the likely best next hop will be. BGP (Border Gateway Protocol) is the standard forInternet routing, and AS (Autonomous System) routing protocol is used to deliver packets on an Intranet. Internallyprivate networks can use the routing protocol they want, but Internet routing must all be done with the same protocol.

Data Link Layer

The data link layer handles transfer between directly connected network devices and it does not distinguish betweentypes of systems, everything is just a node. The connections between nodes may be wired or wireless and at this levelthe packets are called frames. Every network device implements the data link layer unlike the higher layers. Theheader added contains the source and destination MAC address.

Address Resolution Protocol (ARP) provides mapping from IP addresses to MAC Addresses. This is a mapping be-tween logical addresses which is what IP addresses are and physical addresses. Every device has both an IP addressand MAC address and while the MAC address physically can not be changed it is trivial to change what a devicereports it as and by no means can be used for reliable identification in any situation where it may have been tamperedwith. ARP is only between nodes on a local network.

Physical Layer

Insertion of individual bits “on the wire” (Manchester Encoding).

1.5.2 Information Security Introduction


“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s moneywasted, because none of these measures address the weakest link in the security chain.”

—Kevin Mitnick

The Computer Security Triad (CIA (Confidentiality, Integrity, and Availability) +)

• Confidentiality

• Integrity

• Availability

Frequently appended items include:

• Authenticity

• Accountability

OSI (Open Systems Interconnection) Security Architecture

The OSI Security Architecture recommendation uses an approach to system security using:

• Security Attacks

• Security Mechanisms



• Security Services

Security Attacks

Security attack may have drastically varying definitions depending on who is defining it. For example the IETF(Internet Engineering Task Force) defines in RFC 2828 security attack as:

an assault on system security that derives from an intelligentthreat, i.e., an intelligent act that is a deliberate attempt(especially in the sense of a method or technique) to evadesecurity services and violate the security policy of a system.

While the US Government has it defined in CNSS (Committee on National Security Systems) Instruction No. 4009as:

Any kind of malicious activity that attempts to collect, disrupt,deny, degrade, or destroy information system resources or theinformation itself.

Warning: The US Government deffinition is far more vague than the IETF deffinition. It is important to be awareof the deffinition in the juristictions you perform security research in.

Types of Security Attacks

Security attacks are generaly divided into passive attacks and active attacks. Passive attacks involve gaining infor-mation without activly manupulating any information or data and simply listening. Because of this passive attacksare much harder to detect under most circumstances (quantum cryptography may be an exception). For example ifAlice sends Bob a normal e-mail using any standard e-mail provider it is sent completely open in plain text, such asa post card would be sent. A third party listening on the line would be able to passively read the message. Even ifAlice and Bob exchange messages using encryption, a third party passively listening may be able to tell that Alice iscommunicating with Bob by the pattern of the message flow. Even more data may be able to be deduced dependingon the routing and encryption used.

An example of how dangerous this is would be to consider a person Edward. Edward works at a Government agencyand discovers evidence of unconstitutional activities by said agency. He knows people who have attempted to correctbad practices by the agency in the past and who have suffered harassment, ruined careers, and general bullying fromthe good old boy’s club. Edward decides that the information is too important so it must be released in a way it must beaddressed. He contacts a journalist using strong encryption, but because of his position he is being passively watched.From the transmissions the agency can not tell what Edward and the journalist were talking about but it knows thatthey exchanged messages. Edwards door is kicked in by a S.W.A.T. team the next day.

With an active attack on the other hand the attacker is actively trying to modify the behavior of the system by sendingand/or modifying data. Unlike passive attacks, which rely nearly entirely on prevention instead of detection, it is verydifficult to prevent all forms of active attacks. The attack surface is too large with all the types of hardware, software,and network devices involved in any given communication. Detection and recovery is what is normally how they arehandled. According to Mayfield’s Paradox to keep everyone out of a system requires infinite money, and is essentiallyimpossible.

• Passive Attacks

– Release of message contents.

* Wiretapping

– Traffic Analysis




Fig. 1.13: Radical Edward communicates with a journalist.

– Port Scanner

– Idle Scan

• Active Attacks

– Masquerade

* Phishing

– Replay Attack

– Modification of Message

– Denial of Service (DOS)

– DNS Spoofing

– Man in the Middle

– ARP Poisoning

– VLAN Hopping

– Smurf Attack

– Buffer Overflow

– Heap Overflow

– Format String Attack

– SQL Injection

– Cross Site Scripting

– Cross Site Request Forgery

Security Services

A processing or communication service that provides some type of protection. For example encryption may providesome or all of following services.

• Authentication

– Peer Entity Authentication



– Data-Origin Authentication

• Access Control

• Data Confidentiality

– Connection Confidentiality

– Connectionless Confidentiality

– Selective-Field Confidentiality

– Traffic-Flow Confidentiality

• Data Integrity

– Connection Integrity with Recovery

– Connection Integrity without Recovery

– Selective-Field Connection Integrity

– Connectionless Integrity

– Selective-Field Connectionless Integrity

• Non-repudiation

– Non-repudiation Origin

– Non-repudiation Destination

Security Mechanisms

Mechanisms that implement security services.

• Specific Security Mechanisms

– Encipherment

– Digital Signature

– Access Control

– Data Integrity

– Authentication Exchange

– Traffic Padding

– Routing Control

– Notarization

• Pervasive Security Mechanisms

– Trusted Functionality

– Security Label

– Event Detection

– Security Audit Trail

– Security Recovery



Security mechanisms relationship to security services:

Security MechanismSecurityService

Enci-pher-ment

DigitalSigna-ture

AccessControl

DataIn-tegrity

Authentica-tionExchange

TrafficPadding

RoutingControl

Nota-riza-tion

Peer EntityAuthentica-tion

x x x

Data-OriginAuthentica-tion

x x

AccessControl

x

Confidential-ity

x x

Traffic-FlowConfidential-ity

x x x

Data Integrity x x xNon-repudiation

x x x

Availability x x

Security Model

When two or more parties want to communicate over a network such as the Internet they must cooperate to exchangethe message. If the exchange needs to be secure there are components that are common to all methods:

• A security related operation over the data

– Encryption

– Digital Signature

– Steganography

• A shared secret

– Encryption Key

A trusted third party may or may not be needed. Common functions of a trusted third party are to distribute sharedsecrets or ensure message authenticity. There are many different security models for various situations, and they varyin complexity and security level. Various trade offs must be considered based on the needs of each particular situation.The following is a generalization of a common security model for communication over an insecure network:

Another common security model is for access control. There are many reasons an attacker may want to compromiseany given system, from fun to growing the size of a botnet. Some programs installed on a device can increase thethreat of unauthorized access to the system. Compilers for example could allow the attacker to write code that willgain a more permanent foothold, attack other systems (pivot), or use the system to mount attacks on other systemsoutside the network such as operating as part of a DDoS attack or spam server. The types of attacks include:

• Information access threats

• Service interuption threats

• Software attacks

The means to deal with thise threats include:



Fig. 1.14: Network security model for communication.

• Gatekeeper function

– Password login

– Screening Logic to reject viruses and worms

• Internal Controls, Monitoring

– Intrusion Detection

– Antivirus

Example Security Model

When designing a network device and networks themselves it is important to consider the security requirements thatthey may have. Defining the security requirements of a model is essential to correctly designing the system. Considereach security service and how important it is. For example consider a telephone switching network that routs callsbased on the telephone number requested by the caller. To get started we need to know who will be using the networkand how.

The network consists of Universities, large business, small business, home offices, government agencies, military, andmobile users. And all will have very different needs so lets only consider a public phone network like what existswith the PSTN and PDN, and only use by normal users, ignoring enterprise and government needs. Currently theline between a telephone network and the Internet is significantly blurred, and the focus must be on mobile phonecommunications over the network as that is the primary use.

The following security services each fall under a category of the (CIA +) computer security triad.



Fig. 1.15: Network security model for intrusion prevention, detection, and monitoring.

Authentication

• Peer Entity Authentication: Low Requirement

• Data-Origin Authentication: Moderate Requirement

Peer Entity Authentication would not be a low concern for a public telephone network, humans are fairly good atdetermining who they are talking to by voice recognition. Also public networks would not be used for communicationsthat needed to be highly secure.

Now that data travels over the network more than voice, Data-Origin Authentication would be much more important,most telephony data is sent using cell phones and possession of a phone should be sufficient for authentication. Cellphones usually have baked in access controls also which should also help ensure the person using the device to senddata is who they claim to be. As long as the origin of the data is verified to be the correct device then authenticationshould be sufficient.

Access Control

Access Control: No Requirement

While currently there is fairly strict access controls for public telephone networks, there is no requirement for it.Current access controls being that (in general) your identity must be tied to the access device, it would take a moderatelevel of effort to gain a means of anonymously accessing the network. The fact that the controls are so easy to bypassfor anyone with the motivation to do so makes it only useful against ordinary people and not people misusing thenetwork. Public networks should have no access controls.

Data Confidentiality

• Connection Confidentiality: High Requirement

• Connectionless Confidentiality: High Requirement

• Traffic-Flow Confidentiality: High Requirement

• Selective-Field Confidentiality: N/A



Even on a public network there is a strong need for confidentiality. This is because of the increased ability to store andprocess data, which far exceeds capabilities at any other time in history. Strong connection confidentiality is neededto protect all users from eavesdropping (wiretapping) of others with malicious intentions. Also it is a requirementin order to maintain a free society. Due to the current extreme insecurity of all mobile devices, which make up thevast majority of telephones in use, strong connectionless confidentiality is also required to prevent data leaking to themalware that nearly all users install on their phone by choice.

Another reason for strong confidentiality is that phones data connections are used for much more than simply com-municating now. Consider their uses for mobile banking, if the data exchanged while preforming banking activities isnot protected it could lead to many attacks. Strong Traffic-Flow Confidentiality is also required because of situationssuch as shown by the communications between Radical Edward and a journalist shown earlier. Simply knowing whoeveryone has communicated with is too much of a data leak to maintain a free society.

Selective-Field Confidentiality is not applicable because even allowing meta-data to be leaked allows too much infer-ence to be drawn by adversaries. It would be preferable to no confidentiality though.

Data Integrity

• Connection Integrity with Recovery: No Requirement (for recovery)

• Connection Integrity without Recovery: High Requirement

• Connectionless Integrity: High Requirement

• Selective-Field Connection Integrity: N/A

• Selective-Field Connectionless Integrity: N/A

Connection Integrity with Recovery would be overkill for a public network most communications will not be criticalenough to justify implementing recovery, Connection Integrity without Recovery is essential. Consider again themobile banking case, if a users data integrity is not protected an attacker could not only redirect a transfer to hisaccount but also change the amount. Also, many different types of attacks could come out of simply modifying SMSmessages to achieve goals such as would be possible by use of social engineering.

Again the vast majority of phones today are computers first, phones second, and horribly insecure. Possibly the mostinsecure devices that exist. Connectionless Integrity is required to ensure that data isn’t tampered with between beingentered and it’s security transformation before being sent.

Selective-Field Connection Integrity and Selective-Field Connectionless Integrity are not desirable as modification ofmetadata could also be used for attacks. They would be preferred to no data integrity though.

Non-repudiation

• Non-repudiation Origin: No Requirement

• Non-repudiation Destination: No Requirement

Neither Non-repudiation Origin nor Non-repudiation Destination would be a requirement for a public network.

Availability

Availability: High Requirement

The networks use for emergency calls alone is justification enough for the need of high availability.



Additional Justification for High Confidentiality

For even greater justification for the need of strong confidentiality in all forms of communication including telephony,see this talk by Steve Rambam at HOPE X: You’ve Lost Privacy, Now They’re Taking Anonymity (aka Whistleblowingis Dead - Get Over It)

TL;DW (To long; didn’t watch) This barely scratches the surface of the reasons but is probably the best one:

”... you never can tell what is waiting around the corner in your life, and I say that as a guy who isprobably the only one in this room to be removed from a HOPE conference in handcuffs. Look, in the1930’s people who were left wing communist anti-Hitler people were the good guys, in the 1950’s thesame people were put in jail for what they did in the 1930’s.”

—Steve Rambam

1.5.3 Network Threats and Attacks


“The difference between being a script kiddie or a hacker is simply knowing how to write your own tools.”

—Anon

Introduction to Network Attacks

Different threat models are needed to protect against different types of attackers. All have different levels of resources,goals, and tools.

• Script Kiddies (Amateurs)

– Little knowledge of they systems

– Only using automated tools

– Likely little knowledge of consequences or damage caused

• Hackers

– Recreational Intruder

– Looking for an intellectual challenge

• Hacktivists

– political

– protest

• Professionals

– Online Criminals

– Knowledgeable

– In it only to make money

– May have a substantial amount of resources (Money)

– May be working in a group

• Governments


https://www.youtube.com/watch?v=dNZrq2iK87k

https://www.youtube.com/watch?v=dNZrq2iK87k


– Attack their own citizens

– Massive amount of resources

– They have manpower, corporate influence, money, and computing resources

– Generally a good place to set the bar for the Adversary when designing a security system

All intrusion type attacks will follow the model:

1. Get information

2. Get access

3. Get privileges

4. Get comfortable

5. Get ready for the next attack

Application Layer Attacks

Generally target internet users.

Cross Site Scripting (XSS)

XSS is a group of attacks that exploit a browser side scripting language such as JavaScript. An attacker will exploitknown vulnerabilities in web-apps, servers, or installed browser plug-ins to insert their exploits into the code that isbeing delivered by the compromised site. The script should appear as if it was supposed to be sent by the trusted siteso the browser trusts it and executes it.

The attacker generally does this by submitting values to the site by URL, forums, or anything that displays usersubmitted data. When the script is executed by the browser the attacker gains elevated access-privileges to sensitivepage content, session cookies, or any other sensitive data the browser manages.

Two ways users are tricked into XSS attacks:

1. Trick a user to click on a link (email, forum).

• <img src=badcode.html/>

2. Creating an XSS attack and storing it on the target site, such as a forum post or profile.

• May also be self-propagating, creating an XSS worm.

HTTP (Hypertext Transfer Protocol) Response Splitting

HTTP Response Splitting is a kind of web-application vulnerability where the attacker takes advantage of a proxyserver intended to improve network performance. On larger networks such as universities or corporate buildings aproxy server can sit between the network and the router and cache frequently requested objects. If the object is not inthe servers cache it will request it from the web server. It is possible for an attacker to, from behind the proxy server,poison the web cache.

The vulnerability normally results from a failure for the server to properly sanitize the input values. This is a meansto get the proxy to serve malicious content back to the users making requests and is a means to perform other attackssuch as XSS, web cache poisoning, etc.



Session Hijacking

A web servers short term memory is usually controlled using cookies. Cookies are just small bits of data sent froma website and stored in the user’s browser. There are some different uses of cookies, and properties they may haveincluding:

• HTTP Only Cookies

• Third-Party Tracking Cookies

• Third-Party Cookies

• Authentication Cookies

• Persistent Cookies

• Session Cookies

• Supercookies

• Secure Cookies

• Zombie Cookies

The uses of cookies range from identification of users to remember personalization choices to authentication, and themajority of cookies are sent in the clear. Because they are normally sent in the clear it is easy to find cookies usinga packet sniffing tool. Session hijacking is when an attacker steals an authentication cookie, usually a session ID andthereby gains login credentials to an account for which they should not have access.

Methods:

• Session Hijacking

• Session Fixation

• Malware

• XSS

Sniffing tools:

• Wireshark

• Burp Suite

• WiFi Honey

• Kismet

Tools for Header Manipulation:

• Firesheep

• DroidSheep

• Scapy

• Tamper

Defence:

• User:

– Encryption (End to End HTTPS)

– VPN

– Session ID Monitors



– Logout when finished

– Don’t check “remember me”

• Service:

– Change cookie value periodically

– Sanity checks such as if there are requests from the same session ID from two IP addresses.

– Changing session ID on login.

– Using session IDs random and long enough to prevent guessing.

DNS (Domain Name System) Spoofing and Poisoning

DNS Spoofing is a method of redirecting web traffic requesting a particular site to a site, or computer, other than theone belonging to the address requested by the user. This is normally achieved by cache poisoning a DNS Server.

This can either be done a couple ways:

• An attacker sends a query requesting data about a malicious site they have set up, and when the victim respondsquerying the malicious site it responds with a fake DNS record. If the victim has not guarded against it then itwill store the false DNS record.

• An attacker uses a packet sniffer to intercept traffic from a victim, when it finds a DNS query from the victim itforges a new one with ID data from the intercepted query. The forged UDP datagram contains a mapping to theattackers malicious site or computer. The attacker forwards the forged datagram and throws away the original,and the victim stores the data in it’s cache.

Related attacks, both of which may lead to a site made to look identical to trick the user into thinking they are legitimateand possibly get them to enter credentials:

• Redirects, a DNS attack where a link on a legitimate site is compromised and changed.

• Near match domains i.e. www.readtehdocs.org, just a typo away.

Password Cracking

Usually done with a dictionary attack but sometimes a brute force may be attempted depending on the system beingattacked.

Tools:

• TrueCrack: Brute forcer for TrueCrypt.

• RainbowCrack: Cracks hashes using rainbow tables.

• Ncrack: Network authentication cracker.

• John the Ripper: Highly configurable cracker, portable, feature rich.

• Crunch: Wordlist generator

Transport Layer Attacks

The layer concerned with delivering packets to the correct processes and applications.



TCP Spoofing

When a protocol does not provide a way to authenticate the source or destination of the packets it is vulnerable tospoofing attacks. TCP spoofing is a way to convince a user receiving a TCP segment that the message came from anorigin other than the attacker. This method can be used to play man-in-the-middle without the victims knowing.

The goal of a man-in-the-middle attack is to get established as an unknown intermediary hop in the network betweenthe people communicating. To jump into the middle of a TCP exchange an attacker may listen for the start of athree-way handshake (see: Intro to TCP for details) and intercepting segments and sending a spoofed SYN/ACKsegment.

For this to work the attacker must know the sequence numbers of the segments or it will not work. The difficulty ofthis depends on the software on the computers communicating and the sequence may always have the same startingpoint or be randomly generated. The quality of “random” often varies greatly in security systems also. If the packetsare sent in the clear it is also possible to listen and look for a pattern in the sequence and then jump into the middle.

This attack may be passive other than forging the source destination information and just gather information, or it mayactively modify or completely replace any amount of information being communicated.

Defences:

1. Firewall (with DPI)

2. Authentication

3. Encryption

SYN Flood Attacks

A type of DoS attack where the attacker exploits the connection establishment of TCP (see: Intro to TCP for details)in order to prevent users from establishing a connection. As was shown in the simple Python TCP server script eachconnection to a client eats up some amount of recourses on the server. The specific function shown again belowreserves a buffer of size 1024 for each connection.

def handle_client(client_socket):

request = client_socket.recv(1024)print("[*] Received: %s" % request)client_socket.close()

Also servers may have some upper limit on the number of connections such as in the line where it sets the limit tothree connections:

server.listen(3)

An attacker can send a series of SYN requests without any intention to ever respond with an ACK. While the serveris waiting for ACK response some amount of the servers resources are reserved. If this is done using forged originof many requests by the attacker pretending to be many different people it can push the amount of resources reservedby the server to the limit, and normal users of the service will not be able to connect. If either the connection limit oravailable resource limit is reached then the attack is successful.

This attack could be demonstrated with the TCP server and TCP client scripts by running multiple clients to connect tothe server until the connection limit is reached, or extending the client script to send connection requests on an infiniteloop.

Defences: see RFC 4987 for more details.

1. Filtering




2. Firewall

3. Proxy

4. SYN Cookies

5. SYN Cache

Ping of Death

A ping is a network tool, and TCP/IP command, that sends out packets just to see if there is a response. Some networkmonitoring tools use it to determine if various network devices or hosts are alive and what the response time is.

$ ping readthedocs.orgPING readthedocs.org (162.209.114.75) 56(84) bytes of data.64 bytes from readthedocs.org (162.209.114.75): icmp_seq=1 ttl=53 time=16.3 ms64 bytes from readthedocs.org (162.209.114.75): icmp_seq=2 ttl=53 time=72.6 ms64 bytes from readthedocs.org (162.209.114.75): icmp_seq=3 ttl=53 time=19.0 ms

--- readthedocs.org ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 16.349/36.011/72.604/25.899 ms

The Ping of Death is a DoS attack that sends many oversized requests to flood the victim and using up the availableresources, and it may target any networked device with an IP address. This is trivial to defend against, it is possible toignore ping requests at a particular amount of server load, of a particular size using packet inspection, or to just ignorethem altogether like Microsoft does.

$ ping microsoft.comPING microsoft.com (104.43.195.251) 56(84) bytes of data.

--- microsoft.com ping statistics ---86 packets transmitted, 0 received, 100% packet loss, time 85502ms

UDP Flood Attacks

A UDP (User Datagram Protocol) attack is a type of DoS attack that uses the UDP connectionless protocol. Itis performed by sending many datagrams to the victim on random ports, the victim tries to deliver to a listeningapplication and when there isn’t one they respond with an ICMP (Internet Control Message Protocol) destinationunreachable packet. This is done on a scale where the victim server uses all of it’s recourses and therefore cannotrespond to legitimate requests. The best defence is to lock down unused ports, and have firewalls with good packetfiltering rules.

Software tools for UDP flood attacks:

• UDP Unicorn

• Low Orbit Ion Cannon (LOIC)

• High Orbit Ion Cannon (HOIC)

Replay Attack

To perform a replay attack an attacker captures legitimate communications, and later retransmits them. This methodis especially useful against some types of encryption because even if the attacker does not know the contents of the



Fig. 1.16: The Low Orbit Ion Cannon (LOIC) Interface

packets as long as the encryption is not properly secured against replay attacks the message will still seem to belegitimate. The best defences are session keys, timestamps, and use of proper encryption modes.

Network Layer

The layer for getting data to it’s proper destination.

IP Spoofing

The creation of IP (Internet Protocol) packets with forged source IP address. This is commonly done to forge theorigin of an E-Mail in order for it so seem legitimate, and get the user to give up sensitive information, click a linkleading to an attack site, or even open a malicious attachment. Another reason for frequent use with E-Mail is forspammers to avoid being tracked down. It is also the method used to mask the source of TCP packets sent during aDoS attack in order to make packet filtering harder.

Defences:

• Packet Filtering

• TCP’s sequence number

BGP DoS

Because of BGP’S (Boarder Gateway Protocol’s) role in routing between ASES (Autonomous Systems) any vulner-ability is an effective way to perform a DoS attack. This can be done by overloading the routers with many BGP



messages or sending large router advertisements.

Smurf Attacks

Another DoS attack that exploits ICMP and IP broadcast addresses. The attack involves sending out a large number ofICMP packets with the spoofed address as the forged source. The destination of the packets is the broadcast address(See IP Addressing) of a computer network and everyone on the network responds to the victim flooding the computerwith traffic.

Defences:

• Packet Filtering

• Configure hosts to not respond to ICMP requests.

Data Link Layer

Layer for communications between nodes.

MITM

A MITM attack is a form of active eavesdropping where the attacker makes a connection with both of the victimsattempting to communicate and relays the messages between them. The victims ideally never know that anyone elseis listening in, and the attacker can either passively listen or actively modify the messages between the victims. Strongencryption can prevent MITM attacks.

ARP (Address Resolution Protocol) Spoofing (Poisoning)

To perform an ARP Poisoning attack the attacker sends forged messages on the LAN (Local Area Network) in anattempt to get network devices to believe that the victims IP address is associated with the attackers MAC (MessageAccess Control) address. If successful any traffic meant for the victim will instead be sent to the attacker, allowinginterception for modification, information gathering, or just trashing the traffic.

1.5.4 Glossary


Access Control, Access Controls Provides protection against unauthorized use of resources accessable by OSI. Oneof five security service categories defined by X.800.

Accountability Requrement for users to be tracable to unique identifier so that parties involved in system abuse maybe traced back to the parties responsible.

Active Attack, Active Attacks Attempts to alter a system to affect it’s opperation.

Address Resolution Protocol Maps IP addresses to MAC addresses. Protocol used for resolution of network layeraddresses to link layer. Originally defined in RFC 826, see also RFC 903, RFC 2390, and RFC 5227.

Adware Advertising that is integrated into software, may cause pop-up adds or browser redirection.

ARP Abbreviation of Address Resolution Protocol.

ARP Cache Poisoning See ARP Poisoning.

ARP Poison Routing See ARP Poisoning.







Fig. 1.17: ARP Spoofing



ARP Poisoning An attacker spoofs ARP messages onto a LAN. Generally used as an attempt to associate the MACaddress of the attacker with the IP address of another host thereby causing traffic meant for another party to besent to the attacker instead.

ARP Spoofing See ARP Poisoning.

Authentication One of five security service categories defined by X.800. As defined by RFC 2828: The process ofverifying an identity claimed by or for a system entity. (See: Data-Origin Authentication, Peer Entity Authenti-cation.)

Authentication Cookie, Authentication Cookies Cookies used to allow users to leave a site and then log back onfor some amount of time later without requireing authentication again.

Authentication Exchange A mechanism intended to ensure the entity is who they appear to by by means of infor-mation exchange.

Authenticity Ensuring users are who they say they are, and that messages are from who they say they are from.

Auto-Rooter, Auto-Rooters Tools used to break into machines remotely.

Availability Systems are ready for use at all times.

Backdoor, Backdoors A way to bypass a security check, for either unauthorized access or functionality.

Boot Sector Infector Infects a master boot record oand spreads when a system is booted using the infected disk.

Bot Program a machine is infected with that may be activated to launch attacks, such as DDoS, on other macines.

Buffer Overflow A program continues to write to a buffer after it is full overwriting memory locations it should notaccess.

Cache Poisoning Modifying data in a servers cache. Usually to get it to serve the malicous content to users requestingdata from the server.

Checksum, Checksums A digital hash signature to verify data integrity, and generally not authenticity.

CIA Triad See Security Requirements Triad.

Clandestine User An individual who gains root access and uses it to evade auditing and detection.

Complete Packet Inspection See Deep Packet Inspection.

Computer Security See Information Security.

Confidentiality Having both Data Confidentiality and Privacy.

Connection Confidentiality Provides the confidentiality of all user data on a connection. One of the fourteen specificsecurity services defined by X.800.

Connection Integrity with Recovery Provides integrity for all user data on a connection and detects modification,insertion, deletion, or replay of data within a SDU sequence (with recovery attempted). One of the fourteenspecific security services defined by X.800.

Connection Integrity without Recovery Provides integrity for all user data on a connection and detects modifica-tion, insertion, deletion, or replay of data within a SDU sequence (without recovery attempted). One of thefourteen specific security services defined by X.800.

Connectionless Confidentiality Provides confidentiality of all user data in a single service data unit. One of thefourteen specific security services defined by X.800.

Connectionless Integrity Provides integrity of a single connectionless SDU and determins if a recieved SDU hasbeen modified. Also, a limited form of detectino of replay may be provided. One of the fourteen specific securityservices defined by X.800.

Cookie, Cookies A small piece of data from a website stored in the user’s browser. The browser sends the cookieback to the website every time it is loaded to inform it of some previous actions, status, etc.




Cracker A malicious meddler who tries to discover sensitive information by poking around.

Cross Site Request Forgery Website exploit where unauthorized commands are passed from a user that the websitetrusts. Exploits the trust a site has in a user’s browser.

Cross Site Scripting Vulnerability often found in web applications. Allows attackers to inject client-side scirpt intoweb pages viewed by others. Used to gain access controls. Exploits the trust a user has in a particular site.

CSRF (Cross Site Request Forgery) Abbreviation for Cross Site Request Forgery.

Data Confidentiality Data is not made available to unauthorized users.

Data Confidentiality Provides protection of data from unauthorized disclosure. One of five security service cate-gories defined by X.800.

Data Integrity Only authorized changes can be made to data.

Data Integrity Provides protectin of data from unauthorized manipulation. One of five security service categoriesdefined by X.800.

Data-Origin Authentication As defined by RFC 2828: The corroboration that the source of data received is asclaimed. One of the fourteen specific security services defined by X.800.

DDOS Attack Abbreviation of Distributed Denial-of-service Attack.

Deep Packet Inspection Examines the entire header of a packet and likely the data too, possibly analytically or torecord some form of information. May be used for either defensive or offensive purposes, or possibly even justfor network monitoring.

Denial of Service As defined by RFC 2828: The prevention of authorized access to a system resource or the delayingof system operations and functions.

Detection Specific Audit Record, Detection Specific Audit Records Logging facilities that contain only data rele-vant to IDSS (Intrusion Detection Systems).

DHCP (Dynamic Host Configuration Protocol) Abbreviation for Dynamic Host Configuration Protocol.

Dictionary Attack A method of password cracking that uses a program to run through a list of common possible,usually weak, passwords. Crackers usually comile their own collection of dictionarys over time includingpasswords from high profile hacks that dump large amounts of passwords.

Digital Signature Cryptographic data sent with a message in order to prevent forgery.

Digital Subscriber Line Family of technologies to transmit digital data over telephone lines. Uses different frequen-cies for data and voice to allow them to be used simaltainously on the same line.

Distributed Denial-of-service Attack A DOS attack using multiple systems.

DNS Abbreviation of Domain Name System.

DNS Cache Poisoning See DNS Spoofing.

DNS Spoofing An attack where data is introduced to a Domain Name System resolver’s cache that causes it to returnthe wrong IP address diverting the traffic to wherever the attacker wants.

DNS Spoofing A way to redirect users to a website other than the one they requested and that the domain name isregistered. Most commonly done using cache poisoning.

Domain Name System A naming system for computers, services, and resources on the Internet or private networks.Most importantly it associates, and allows resolution of domain names and IP addresses.

DOS (Denial of Service) Abreviation of Denial of Service.

Downloader, Downloaders A program that installs other programs.

DPI (Deep Packet Inspection) Abbreviation for Deep Packet Inspection.





DSL (Digital Subscriber Line) Abbreviation for Digital Subscriber Line.

Dynamic Host Configuration Protocol An Internet Protocol that dynamically distributes network configurationmost importantly IP addresses.

Encipherment The use of encryption.

Encrypted Virus Virus remains encrypted unless the infected program is executed. A different key is used each timeit replicates eleminating any specific bit pattern to search for.

End System Any computer running a network application such as a email client or browser.

Event Detection Detection of violations of security and also logging of events that may be needed in the future incase of investigation such as successful log ons.

Exploit, Exploits Code for a specific vulnerablity or vulnerability set.

File Infector Infects files that the operating system or shell consider to be executable.

Flooder, Flooders Used to perform DDoS Attacks.

Format String Attack Some string formating functions such as c’s printf() when given unchecked user inputmay be passed format tokens such as %x to print data from other memory locations that should not be disclosed.Using %n it is also possible to write data to arbitrary locations.

Global ISP, Global ISPs Where the regional ISPs buy service from, and run the major links making up the Internetbackbone.

Hacker From the Jargon File:

1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities,as opposed to most users, who prefer to learn only the minimum necessary. RFC 1392, the InternetUsers’ Glossary, usefully amplifies this as: A person who delights in having an intimate understanding ofthe internal workings of a system, computers and computer networks in particular.

2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theo-rizing about programming.

3. A person capable of appreciating hack value.

4. A person who is good at programming quickly.

5. An expert at a particular program, or one who frequently does work using it or on it; as in ‘a Unix hacker’.(Definitions 1 through 5 are correlated, and people who fit them congregate.)

6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.

7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.

Hackers On Planet Earth A biennial hacker convention hosted in NYC (New York City) at the Hotel Pennsylvaniaby the publishers of 2600 The Hacker Quarterly. Usually the focus is equally technical and philosophical witha little bit of hacker art sprinkled in.

Hash, Hashes The output of a one-way cryptographic function.

Heap Overflow A kind of buffer overflow that happens in the heap data area instead of the stack. Usually used in anattempt to overwrite function pointers.

HOPE Abbreviation of Hackers On Planet Earth.

HTTP An application protocol for hypermedia information, foundation for the Internet.

HTTP Only Cookie, HTTP Only Cookies A cookie that can only be transmitted by HTTP or HTTPS. Can not beaccessed by APIs protecting against XSS attacks.




HTTP Response Splitting A web-application vulnerability taking advantage of a proxy server on a networkcacheing web objects to perform other attacks such as XSS, web cache poisoning, etc. It results from the servernot properly sanatizing input values.

HTTPS Ecrypted HTTP.

Hypertext Transfer Protocol An application protocol for hypermedia information, foundation for the Internet.

ICMP A protocol used by network devices such as routers to send error messages.

Idle Scan A TCP port scan that sends spoofed packets to a computer to find out what services are available. This isdone by impersonating a zombie system that is not sending or receiving data and observing the behavior of thezombie. This attack is very easy to accomplish using network tools such as nmap, and can even be accomplishedwith simple scripts, a few lines of quickly hacked together Python can accomplish this on a compromisedinternal system with no networking tools installed but a Python interpreter installed.

Infection Mechanism How malware spreads or propagates enabling it to replicate.

Infection Vector See Infection Mechanism

Information Security The protection afforded to an automated information system in order to attain the applicableobjectives of preserving the integrity, availability, and confidentiality of information system resources (includeshardware, software, firmware, information/data, and telecommunications). -NIST

As defined by RFC 2828: Measures that implement and assure security services in a computer system, particu-larly those that assure access control service.

InfoSec Abbreviation of Information Security.

Inormation eXtraction See Deep Packet Inspection.

Integrity Having both Data Integrity and System Integrity.

Internet Backbone Part of the network core, a set of routers and links.

Internet Service Provider Provide access links that connect to the Internet backbone. There are different levels ofISPs, at least two tiers:

1. Regional ISPs

2. Global ISPs

IP Address Spoofing Setting a packet source header with a false address. May be used to attempt to bypass packetfilters by setting an internal address or in DDoS attacks.

IP Broadcast Address Logical address which is assigned to all devices on multiple-access communication networks.

ISP (Internet Service Provider), ISPS (Internet Service Providers) Abbreviation for Internet Service Provider.

ITU-T (The International Telecommunication Union - Telecommunication Standardization Sector) Abbrevi-ation of The International Telecommunication Union - Telecommunication Standardization Sector

IX Abbreviation for Inormation eXtraction.

Keylogger, Keyloggers Captures keystrokes.

Kit, Kits Set of tools for generating new viruses automatically.

LAN, LANs Abbreviation for Local Area Network.

Least Privilege Only allow access to the resrources employees need to do their job. “need to know” basis.

Logic Bomb, Logic Bombs A program that lies dormant until some pre-condition is met, then the program is trig-gered and executed.

MAC Address A unique identifier for network interfaces, hardcoded at time of manufacturing, trivial to fake.




MAC Address, MAC Addresses Identifies the network adapter on the physical network. Often assigned to a net-work device at time of manufacture. Easily spoofed.

Allows for identification of devices sharing a common link layer medium, such as multiple devices on an Eth-ernet bus or sharing wireless.

Macro Virus, Macro Viruses Target specific document types, which are often portable. PDF and Microsoft Officeare popular formats. This is usally accomplished by use of scripting code that is interpreted by the application.

Malware Any type of malicous program.

Man in the Middle The attacker acts as a (secret) relay between the parties communicating. Can be used to attackvarious security and cryptographic systems.

Masquerade As defined by RFC 2828: A threat action whereby an unauthorized entity gains access to a system orperforms a malicious act by posing as an authorized entity.

Masquerader An individual who compromises a legitimate users account.

Metamorphic Virus Mutates with each infection like the Polymorphic Virus, but also rewrites itself with each itera-tion further increasing the difficulty of detection. They may also change their behavior in addition to appearance.

Misfeasor A legitimate user who performs unauthorized actions and misuses privileges.

Mobile Code Code that can be deployed unchanged on a collection of platforms and execute identically.

Multipartite Virus Infects files in multiple ways, such as multiple types of files increasing the number of possiblesites of infection.

Native Audit Record, Native Audit Records Nearly all multiuser operating systems have some sort of native log-ging facilities.

Network Core, Core Network Central part of a telecommunication network that provides services. A set of routersand links that is divided into separate networks. Each network is owned by an ISP.

Network Security See Information Security.

nmap Network analysis and security portscanner software.

Node Any part of the network including systems, routers, switches, etc.

Non-repudiation Provides protection against denial by a participant in a communication of having been the personactualy involved in the communications. One of five security service categories defined by X.800.

Non-repudiation Destination, Nonrepudiation with proof of delivery The sender of the data is provided withproof of delivery. This protects against any subsequent attempt by the recipient to falsely deny receiving thedata or its contents. One of the fourteen specific security services defined by X.800.

Non-repudiation Origin, Nonrepudiation with proof of origin The recipient of data is provided with proof of theorigin of data protecting against any attempt by the sender to falsely deny sending the data or its contents. Oneof the fourteen specific security services defined by X.800.

Notarization Use of a trusted third party to assure certain properties of a data exchange.

Open Systems Interconnection Generaly refering to the OSI Model.

Open Systems Interconnection Layer A particular layer of the OSI Model.

Open Systems Interconnection Model High level standardization of communication functions for telecommuni-cation and computing system. The goal is to have standardized protocols that allow many differnet types ofsystems to work with eachother.

OSI Abbreviation of Open Systems Interconnection.

OSI LAYER (Open Systems Interconnection Layer) Abbreviation of Open Systems Interconnection Layer.




OSI MODEL (Open Systems Interconnection Model) Abbreviation of Open Systems Interconnection Model.

OSI SECURITY ARCHITECTURE (OPEN SYSTEMS INTERCONNECTION SECURITY ARCHITECTURE ITU-Ton top of the OSI Model that defines the requirements for security and ways to approach implementing measuresto reach them. Focuses include Security Attack, Security Mechanism, and Security Service.

Passive Attack, Passive Attacks Attempts to make use of information gathered from listening but does not alter thesystem.

Payload What the malware does besides spreading.

PDN Acronym for Public Data Network

PDU (Protocol Data Unit) Abbreviation of Protocol Data Unit.

Peer Entity Authentication As defined by RFC 2828: The corroboration that a peer entity in an association is theone claimed. One of the fourteen specific security services defined by X.800.

Persistent Cookie, Persistent Cookies A cookie that expires after a particular amount of time or at a particuar timeinstead of when the browser is closed.

Pervasive Security Mechanisms Not specific to any particular service and not part of any particular layer or OSIsecurity service.

Phishing Attempt to get sensitive information by means of social engineering

Physical Address See MAC Address.

Physical Address See MAC Address.

Pivot, Pivoting Using an already compromised system to attack others on the same network. This has the advantageof bypassing security measures such as firewalls.

Pivoting Hacking a computer or server and using it to attack other computers on the same network. Because theattacks are not performed from within the network the firewall is bypassed and the attacker has a greater chanceof remaining undetected.

Polymorphic Virus Virus that mutates with each infection. Detection by bit pattern is impossible.

Port, Ports Endpoint of communication in an operating system.

Port Scanner Software that checks a server for open ports. This can be used by administrators to verify securitypolicies, and attackers to identify, or make educated guesses, at what software or services are running on a hostand use that information to exploit its vulnerabilities.

Privacy Users have control over their data, including what is collected, stored, and who may access it.

Profile Based Detection A profile of the activity of each user is used to detect changes in individual accounts. Mayalso gather metrics on past actions of related groups of users. The basis of this approach is analysis of auditrecords.

Protocol, Protocols A standardized means of communicating, including the treatment and formatting of data.

Protocol Data Unit Information delivered as a unit on a network that may contain control information.

PSTN Acronym for Public Switched Telephone Network

Public Data Network A network used for public data transmissions.

Public Switched Telephone Network World’s circuit-switched telephone network.

Rainbow Table, Rainbow Tables A pre-computed list of password-salt combos.

Ransomware Restricts access to the infected computer and demands payment of a ransom to remove the restriction.

Regional ISP, Regional ISPs Where end users buy service from.




Release of message contents A Passive Attack consiting of Eavesdropping on unencrypted data of a telephone con-versation, e-mail message, file transfer or any other form of communication.

Replay Attack As defined by RFC 2828: An attack in which a valid data transmission is maliciously or fraudulentlyrepeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as partof a masquerade attack.

Root DNS Server, Root DNS Servers See Root Name Server.

Root Name Server, Root Name Servers Directly answers requests for records in the root zone by returning a list ofthe authoritative name servers for the appropriate top-level domain.

Rootkit, Rootkits Set of tools used after obtaining root access on a compromised machine. Allows access to other-wise restricted areas and masks the existence of other operations and software.

Routing Control Enables seleciton of secure routes for data and routing changes when malicous activity is suspected.

Rule Based Anomaly Detection Similar in approach and strengths of statistical anomaly detection. Audit recordsare analyzed for patterns and rules are generated to describe the patterns, rules may be based on:

• Users

• Programs

• Privileges

• Time Slots

• Terminals

Does not require knowledge of security vulnerabilities, simply behavior analysis. Requires a large database.

Rule Based Detection Uses a set of rules or attack patterns to detect behavior that is that of an intruder.

• Uses expert systems technology

• Rules are usually machine and operating system specific

• Rules usually generated by experts

Rule Based Penetration Identification Uses rules based on known penetrations or penetrations that exploit knownweaknesses and known suspicious behavior. Generally these rules are specific to a given machine and operatingsystem. These rules may be based on:

• Analysis of attack tools

• Analysis of attack scripts

• Knowledgeable security personnel

Salt, Salts Additional data added to a password before hashing in order to ensure that even two people with the samepasswords have different hashes stored for them. Defends against dictionary attacks using a list of passwordhashes and rainbow tables.

Script Kiddie, Script Kiddies

1. Kids playing around with little real knowledge of computer and networking systems.

2. Someone eho only knows how to use security tools that are made by other people such as automatedintrusion scripts and does not have the capability to write their own tools or find their own exploits.

SDU (Service Data Unit) Abbreviation of Service Data Unit.

Secure Cookie, Secure Cookies Can only be transmitted over HTTPS. Makes eavesdropping harder.




Security Attack, Security Attacks As defined by RFC 2828: An assault on system security that derives from anintelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method ortechnique) to evade security services and violate the security policy of a system.

Security Audit Trail System records to facilitate detection and investigation of breaches of security.

Security Label A label associated with data to indicate the security level. It must be securly attached to the data.

Security Mechanism, Security Mechanisms As defined by RFC 2828: A process (or a device incorporating such aprocess) that can be used in a system to implement a security service that is provided by or within the system.

Security Recovery Deals with requests from mechanisms such as event handling and management functions, andtakes recovery actions as the result of applying a set of rules.

Security Requirements Triad The combination of Confidentiality, Integrity, and Availability for Information Secu-rity.

Security Service, Security Services As defined by RFC 2828: A processing or communication service that is pro-vided by a system to give a specific kind of protection to system resources. X.800 defines five categoriesof security services including Authentication, Access Control, Data Confidentiality, Data Integrity, and Non-repudiation.

Selective-Field Confidentiality Provides confidentiality for selected fields within the user data on a connection orsingle connectionless SDU. One of the fourteen specific security services defined by X.800.

Selective-Field Connection Integrity Provides integrity of selected fields within the user data of a SDU transferedover a connection and determins if the selected fields have been modified, inserted, deleted or replayed. One ofthe fourteen specific security services defined by X.800.

Selective-Field Connectionless Integrity Provides for the integrity of selected fields within a single connectionlessSDU and determins if the selected fields have been modified. One of the fourteen specific security servicesdefined by X.800.

Service Data Unit In OSI is a unit of data passed from a higher OSI layer to a lower layer and has not been encap-sulated into a PDU by the lower layer.

Session Cookie, Session Cookies Exists only in temporary memory while the user is on the site. Usually deletedwhen the browser is closed.

Session Fixation The attacker sets a user’s session ID using another exploit such as getting them to click on a link toa malicous website that will serve them a cookie with a session ID for the wesite, then wait for them to log intothe website. Once they log in the attacker uses a copy of the cookie to gain access to the victems account.

Session Hijacking An attacker steals a authentication cookie from a user and uses it to log onto the site that it grantsaccess to.

Session ID Bassically a temporary login key stored in a browser cookie. Usually not even encrypted.

Short Message Service Text messaging component of a network.

Signature Detection See Rule Based Detection.

SMS (Short Message Service) Abbreviation for Short Message Service.

Smurf Attack DDoS attack where large amounts of ICMP packets with the victim’s spoofed‘ source IP are broadcastover a network using an IP Broadcast address.

Social Engineering Psycological manipulation of people to get them to perform some action or divulge confidentialinformation.

Source Routing Attack, Source Routing Attacks The source specifies the route a packet should take across theinternet, in an attempt to bypass some security measures.

Spammer Program, Spammer Programs Used to send out mass amounts of unwanted e-mails.






Specific Security Mechanisms May be incorporated into the appropriate layer in order to provide some securityservice.

Spyware Software that collects information and phones home.

SQL (Structured Query Languge) Injection Code injection technique.

Statistical Anomaly Detection Uses data collected about the behavior of legitimate users over some window of timecompared against observed behavior to determine if they are legitimate users. Ineffective used alone.

May use:

• Threshold Detection

• Profile Based Detection

Stealth Virus Designed to evade antivirus software. The entire virus and payload is hidden. Possibly using codemutation (compression) and rootkit or any other methods.

Steve Rambam Founder and CEO of Pallorium, Inc. a licensed investigative agency with offices and affiliatesworldwide. Coordinated investigations in more than 50 countries and in nearly every US state and Canadianprovince. Best known for pro bono activities, such as investigation of nearly 200 Nazi collaborators and warcriminals worldwide. He has also coordinated efforts to expose terrorist groups’ fundraising activities in the US.

Subnet, Subnets See Subnetwork.

Subnetwork, Subnetworks A logical subdivision of an IP network.

Supercookie, Supercookies A cookie from a top level domain i.e. .com, .org, etc. Usually blocked because theyare a security threat.

System Integrity A system can be trusted to perform it’s tasks corectly without accedental or intentional malicousactivities.

TCP (Transmission control Protocol) Abbreviation for Transmission Control Protocol

The International Telecommunication Union - Telecommunication Standardization Sector A United Nationsagency that coordinates standards for telecommunications.

Third-Party Cookie, Third-Party Cookies The domain attribute does not match the one shown in the web browsersaddress. Usually advertisements.

Third-Party Tracking Cookie, Third-Party Tracking Cookies Malicious cookies ment to track long term brows-ing histories.

Threshold Detection Defined thresholds, independent of users, for the frequency of certain events. Often veryineffective unless paired with a timer for each action, for example number of failed password attemps in aminute versus total number.

Tiny Fragment Attack, Tiny Fragment Attacks Using the IP fragmentation option to create extremely small frag-ments forcing the TCP header information into separate packet fragments. This can be used to bypass packetfiltering firewall rules based on TCP header information.

Tor Free software and open network that helps defend against traffic analysis.

Traffic Analysis A Passive Attack as defined by RFC 2828: Inference of information from observable characteristicsof data flow(s), even when the data is encrypted or otherwise not directly available. Such characteristics includethe identities and locations of the source(s) and destination(s), and the presence, amount, frequency, and durationof occurrence.

Traffic Padding Interstion of bits into gaps of a data stream to frustrate traffic analysis attempts.

Traffic-Flow Confidentiality Provides protection the information which might be derived from observing trafficflow, or traffic analysis. One of the fourteen specific security services defined by X.800.




Transmission Control Protocol A core protocol of the internet. Provides reliable, ordered, and error-checked deliv-ery of a stream between applications over a network.

Trigger Event or condition that determines when a malwares payload will be delivered. Sometimes called a LogicBomb.

Trojan Horse A program that appears to have some legitimate perpose, but also has hidden malicious functionality.

Trusted Functionality The procedures used to ensure that hardware and/or software are trustworthy.

UDP Abbreviation for User Datagram Protocol.

Up Time See Availability.

User Datagram Protocol A connectionless transmission model, much faster, and much more unreliable than TCP.It does provide checksums for data integrity.

Virus Malware that tries to replicate itself into other executable code when it is executed. If it succeeds the code isinfected and when executed the virus also executes.

Virus Generator, Virus Generators See Kit.

VLAN (Virtual LAN) Hopping Attacks networked resources on a VLAN. Allows access to traffic on other VLANsthat would not normally be accessible.

Wardriving Searching for WiFi Networks in person using a moving vehicle and a portable computer.

Web Cookie, Web Cookies See cookie.

Wiretapping Monitoring of communications by a third party, often by covert means.

Worm, Worms A program that runs independently and can propagate a complete working verson of itself onto otherhosts on the network.

X.800 A security architecture in the sense of information security, to secure the connections between different digitalsystems. X.800 it not a standard but a recomendation by the ITU-T .

XSRF Abbreviation for Cross Site Request Forgery.

XSS Used as an abbreviation for Cross Site Scripting.

XXS Used as an abbreviation for Cross Site Scripting.

Zombie See Bot.

Zombie Cookie, Zombie Cookies A cookie that is raises from the dead after deletion. Done with a client side scriptthat stores the data in multiple locations exploiting features such as flash or HTML5, etc.

1.6 System Administration

1.6.1 Installing Debian 8 with Encrypted RAID LVM


Introduction

Installing Debian Linux is now incredibly easy. Most of the time it is possible to simply mash the enter key selectingyes repeatedly and get a nice stable working system. It will even automate setup of encrypted LVM. The one place itis still lacking is automated RAID setup.



Note:

Asumptions:

• RAID1

• Using the full disks without dual boot.

• The disks are the same size.

tl;dr

1. Configure the RAID devices, one for /boot and one for encrypted LVM.

2. Configure the crypto device on the second larger RAID partition.

3. Configure / and /swap LVM partitions on the crypto volume.

Setup /boot

• At the disk partitioning screen select manual setup.

• Delete any past partitions and free up all space on the disks.

– Dismantle any raid

– Select the partition

– Delete the partition

• For for all disks to become a RAID volume, create a boot partition:

– Select the disk.

– Create new partition.

– 100MB should be enough.

– Primary type is ok.

– Create at the beginning of the disk.

– Use as physical volume for RAID.

– Set boot flag to on.

There should now be (at least) two primary physical volumes setup for RAID about 100 MB in size. Next create theraid volume.

• Select configure software RAID.

– Create RAID device

– RAID1

– Enter number of disks to use. At least two disks must be used, the more the safer the data.

– Enter number of disks to have on standby in case of a disk failure, if any.

– Select the partitions to create the RAID volume with, the two RAID volumes just created.

– Finished

1.6. System Administration 127


Note: If finished is not selected then the changes will not be finalized.

• Select the partition under the RAID1 device just created.

– Use as Ext4-Journaling-Filesystem

– Set mounting point to /boot.

– The boot partition is now ready to go.

Note:

• Boot can be formatted to a number of different file systems with GRUB, but unless some exotic features areneeded ext4 is a safe bet.

• /boot can be encrypted also, but it is likely more trouble than it is worth so let’s leave it alone.

Setup / and /swap

With the free space that is left follow the same exact procedure as setting up the /boot partition but select the defaultvalue for the size (the rest of the disk) and leave the boot flag off. Once the second raid volume is created:

• Select the each RAID volume.

– Select use as physical volume for encryption.

Note:

• The default settings here are perfectly safe so long as a strong password is used. Although all the other cipherslisted are also safe to use.

• XTS mode is likely the best as it is designed with disk encryption in mind.

• Deleting the data on the partition is optional. It also should be noted that the attack used to recover data from anencrypted disk that has not been wiped is only theoretical and has never successfuly done anywhere, ever (Thatwas recorded). If there is a need to worry about some adversairy that has the resources to recover such data,there might be a need for encryption stronger than XTS-AES256. Because the adversairy is not human.

Warning: Unlike the choice of ciphers to use the modes of operation are not all safe to use. Notably ECB modefor encryption is not safe to use, and should be avoided in general whenever possible.

There should now be at least four RAID volumes (2 on each disk), and two RAID devices, the small of which shouldbe set to mount as the /boot partition, and the larger an encryption volume.

• Select configure encrypted devices.

– Create encrypted device.

– Select the encryption volume just created.

– Select finished to apply.

– Enter a strong password.

• Select the newly created encrypted partition.

– Use as physical volume for LVM.



• Select configure Logical Volume Manger.

– Create volume group.

– Give it a name.

– Select the encrypted device.

– Create logical volume.

– Select the new volume group.

– Call it swap.

– Make it about half of the computers RAM.

– Make one more with the rest of the space called root.

• Select the LVM partition swap.

– Use as swap space.

Note: Swap space isn’t required. If the system has enough RAM that it will never run out don’t waist the space. If itever does and run out of RAM without swap space it will cause a huge performance hit though.

• Select the LVM root partition.

– Use as Ext4-Journaling-Filesystem

– Set mount point to /

Hit write changes to disk and proceed with the rest of the automated install. That is it, when the install finishes afterthe reboot there will be a prompt for the password to the mirrored drives.

1.6.2 Sudo on Debian


Installation

apt-get install sudo

Configuration

The configuration file /etc/sudoers contains the permissions for normal users to run commands as root. Bydefault only root has any privileges. The following is the default configuration for Debian 8 (Jessie).:

# /etc/sudoers## This file MUST be edited with the 'visudo' command as root.## Please consider adding local content in /etc/sudoers.d/ instead of# directly modifying this file.## See the man page for details on how to write a sudoers file.#Defaults env_reset

1.6. System Administration 129


Defaults mail_badpassDefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specificationroot ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Instead of adding users to the group sudo it is best to enable only the commands needed. One of the most commonlyneeded commands for normal users is system update and package installation. This can be achieved for apt-get andaptitude by adding the following to the end of the file.:

username ALL = NOPASSWD : /usr/bin/apt-get , /usr/bin/aptitude

If it is not just a personal computer and being enabled for other users it is important to consider the security risk.While the command will only allow username to run apt-get and aptitude with root privileges it will also allow themto uninstall critical software or install outdated or known exploitable software to gain complete root access. If thismay be a problem more fine grained control may be needed.

1.7 Software Engineering

1.7.1 Software Development Process

While there is broad agreement on what needs to be done for software development,

• Recognition of problem, need, or opportunity

• Feasibility study

• Analysis of Requirements

• Design of system

• Implementation

• Testing

• Deployment

• Maintenance

Different models will achieve them in different ways, and each organization will have its own model and even eachteam.



Workflows

Micro-Workflow

All workflows consist of:

• Analysis

– What the system TOI is

– How does the real world system work

– How should the system work

– Use cases

• Design

– How to organize

– How to accomplish the goals

• Implementation

– UML (Unified Modeling Language) (if OOD (Object Oriented Development))

– Write code

– Write tests

– Finalize the current TOI

• Validation

– Decide if implementation is acceptable

– Discuss decisions with a domain expert

– Formal proof

– Testing

– Reviews

Workflows must be viewed in terms of the current TOI. Then when each TOI is finished the next one is started. Forexample when writing an ADT this process would be repeated for each phase of the design, analysis of the problem,design, writing tests, writing code, and validation.

This micro-workflow for each step must not be confused with the bigger-picture project workflows.

Project Workflow

Analysis

• Examine existing system

– How does the existing system work


– What are its shortcomings

• Use cases

• Propose a new system

– Decide exactly what the new system will do

1.7. Software Engineering 131


• Produce documents from requirements analysis

– Feasibility report

– Software Requirements Specification (SRS (Software Requirements Specification))

* Detailed statement of problem

* Functional Requirements

* Constraints on the system

Design

• Create a design that satisfies the software requirements

• Architectural Design: Decisions common to all components such as hardware

• High level design: Dividing system into components

• Low level design: Data structures and algorithms

Implementation

• Write code

• Write tests

Verificaiton and Validation

• Decide if implementation is acceptable

• Discover defects in the system

• Questions that will be asked:

– Verification: Are we building the product right? Does it conform to the specification?

– Validation: Are we building the right product? Does the software do what the user needs?

– Is the system usable in an operational situation?

• Testing

– Unit Test

– Integration Test

– System Test

– Regression Test

– Acceptance Test

Maintenance

• Corrective: fixes problems

• Adaptive: Adapts to changes in the environment

• Perfective: Adds features and improves performance

• Preventative: Refactors to improve maintainability (preserving current behavior)



Software Process Models

Different models suit different types of projects and the people that work on them, there is no best model. Which oneto use depends on a large number of variables.

Two major models:

• Traditional

• Agile

Traditional

Waterfall Model

• Strengths

– Simple, Intuitive, and Logical. The linear structure is easy to understand.

– Development process is easily estimated and explicitly documented

– Widely known and easy to execute

– Scales well

• Weaknesses

– All or nothing approach

– Inflexible, changes limited to current phase and can’t go back

– Requirements frozen early allow no flexibility

– Cycle time is long

– Hardware and other tech in requirements may become outdated by release

– User feedback not allowed

– Encourages requirement bloating

– Working version not available until the end

• Types of Projects

– Well understood problems

– Short projects

– Automation of manual systems

The waterfall model is the most widely known process, and is traditional. The name overlap between the goals andstage of development does not mean the same thing. It is very formal, very rigid, very unpleasant.

• Requirements

– Define requirements in a requirements specification

– Language is very important, “shall”, “should”, etc.

– Specify Behaviors

• Design

– Design documentation

– Derive a solution to the requirements.



– Phases

* Architectural (Hardware)

* High-Level (ADTs)

* Low-Level

• Implementation

– Code, application & test

– Easy day

• Verification & Validation

– Does the system meet user needs

– Have requirements been met

– Is the domain expert happy

– Do the requirements need to be changed

– Does it work in a real environment vs. testing

• Operation & Maintenance

– Development lifecycle

* Prioritize change

* Make changes

* Validate changes

* New tests

* Validate changes don’t break old code

* Regression testing

Prototyping

• Strengths

– Helps determine correct requirements

– Reduces risk

– Leads to a better system

• Weaknesses

– Front heavy process

– Possibly higher costs

– Disallows later changes


– Systems with novice users

– When there are uncertainties in requirements



Iterative Enhancement

• Strengths

– Ability to explore poorly understood requirements

– Working implementation available early

– Regular and quick deliveries

– Reduces risk

– Accommodates change

– Allows user feedback

– Allows reasonable exit points

– Avoids requirement bloating

– Prioritizes requirements

• Weaknesses

– Poor process visibility

– Each iteration can have planning overhead

– Costs may increase as work that is done in one iteration may be undone later

– May lead to worse system architecture and structure


– When (release) time is important

– When the risk of a long project is too great

– When requirements are not known

Spiral Iterative approach with a focus on risk management. Each iteration builds on earlier ones. Has four phases,

• Determine objectives, alternatives, and constraints

– Define Requirements

– Alternatives identified, for example 3rd-party code

– Constraints identified

• Identify and resolve risks, evaluate alternatives

– Evaluate identified alternatives

– Identify risks

– Resolve risks

– Produce prototype

• Develop and test

– Analyze performance of prototype

– Create & review design, code, test

• Plan next iteration

– Often includes customer evaluation of prototype



Strengths and weaknesses,

• Strengths

– Very flexible

– Controls project risk

– Less documentation needed

– Considerable opportunity for validation

– Good process visibility

– Working releases produced early

• Weaknesses

– Can be costly (slow)

– No strict standards for software development

– No particular beginning or end of any phase

– Risk analysis is a specialized skill, and critical to project success


– Projects built on untested assumptions

Agile Methods

Agile development is a social movement within the software development profession introduced by the Agile Man-ifesto (2001) reaction against heavily-managed, documentation-heavy process. A modern take on incremental de-velopment, agile methods remove the difficulty of changing directions that are inherent in heavyweight developmentmethods. Even using less restrictive models like prototyping and evolutionary development are sometimes still notagile enough. The focus of agile is to deliver a viable working product as quickly as possible without the overheadand restrictions of extensive plans and processes that would be thrown out later anyway. The key ideas are:

• Individuals and interactions are more important than processes and tools.

• Working software is more important than comprehensive documentation.

• Customer collaboration is more important than contract negotiation.

• Responding to change is more important than following a plan.

Agile methods development cycles:

• Small and incremental

• Not extensively planned, but the situation is reviewed at the end of each cycle

• At the end of each the system is up and running

– Delivers value quickly to the users

– Resembles evolutionary prototyping, but result is not a intermediate throwaway result

• No extensive architectural or design phase

• Uses refactoring to improve design

• Short “time boxed” development cycles

• Focus on quality as a matter of professional pride


http://agilemanifesto.org/

http://agilemanifesto.org/


• Adoption of professional best practices

Prototyping as a Tool for Requirements Engineering In such a model the prototyping and actual developmentphases are distinct. The prototyping phase is repeated until solid requirements have been found,

• Requirements Engineering

• Design

• Implementation

• Testing

Then the real development process is started,

• Design

• Implementation

• Testing

• Maintenance

This may be done with the prototype either evolving into the final product or with the prototype being a throwawayand only the discovered requirements carrying over.

• Advantages

– Resulting system is easier to use

– Resulting system has fewer features

– User needs are better accommodated

– Design is of higher quality

– Problems are detected earlier

– Resulting system is easier to maintain

– Development incurs less effort

• Disadvantages

– Resulting system has more features

– Design is of lower quality

– Performance of the system is worse

– Resulting system is harder to maintain

– Team members should be more experienced


– Requirements are unclear or ambiguous

– Systems with considerable emphasis on the user interface and user interaction

– Experienced team that understands the pitfalls and that frequent changes are part of the process

– A high level of communication with users is possible



Incremental Development A method in which the final product is proceeded towards in small steps each of whichemploys the waterfall methods. This way the functionality of the system is delivered in small increments to the usersand they can be closely involved.

• Attention is focused first on essential features

• Produces leaner systems

• Most difficult and highest risk parts are often done first

This may be achieved using the spiral model,

• Identify the subproblem with the highest risk

• find a solution

For example,

• If obtaining the proper set of user requirements is seen as the area with highest risk, follow the spiral a few timesaround to solve this subproblem (i.e., prototype).

• If the main issue is to obtain a robust and well-documented system from a precise requirements specification,follow the spiral once, using the traditional process model with its phases and corresponding milestones asintermediate steps.

• If developing software incrementally, track the spiral a number of times, once for each increment.

• During maintenance, the reported errors or changing requirements are triggers to track the spiral.

RAD and DSDM RAD (Rapid Aplication Development) is similar to other iterative development processes. Ithowever uses the idea of a time box or a fixed immovable time frame in which activities are done.

• Requirements planning

– JRP (Joint Requirements Planning)

– End users are present

– Triage: Requirements prioritized into “MoSCow”

* Must haves: Needed

* Should haves: Important

* Could haves: If there is time

* Won’t haves: For the next iteration

• Application design

– JAD (Joint Application Design) workshop

– Prototype

– Second JAD workshop with prototype

• Construction

– Highly skilled small team (SWAT (Skilled With Advanced Tools) Team)

– Involved after first JAD workshop

– Creates a series of evolutionary prototypes

– Prototypes reviewed by users

• Cutover



– Final testing

– User training

– System installation

Because of the immovable nature of deadlines it is very important to not only get the requirements right the first time,but also to clearly define what features must be finished first, and in which order they will be cut off if it is not possibleto deliver them by the deadline.

“abbr:DSDM (Dynamic Systems Development Method) is a variation of RAD based on nine principles,

• Active user involvement is imperative

• The team must be empowered to make decisions

• The focus is on frequent delivery of products

• Fitness for business purpose is the essential criterion for acceptance of deliverables

• Iterative and incremental development is necessary to converge on an accurate business solution

• Changes during development are reversible

• Requirements are baselined at a high level

• Testing is integrated throughout the lifecycle

• A collaborative and co-operative approach between stakeholders is essential

It has five phases,

• Feasibility study: Can we even build this system?

• Business study: Defines relevant business processes and high-level architecture.

• Functional model iteration: analysis models, prototypes, major components.

• Design and build iteration: System engineering.

• Implementation: System installation and user training.

Extreme Programming Takes known best practices to an extreme level. For example instead of periodic codereview pair programming is used. Typically this is done in one room with a small team. Common XP (ExtremeProgramming) practices include,

• The planning game: Scope is determined quickly and changed on the fly.

• Small releases: Simple first release, then short cycles.

• Metaphor: Simple metaphor used for the whole system.

• Simple Design: Design must be and remain as simple as possible.

• Testing: Continuous unit and acceptance tests.

• Refactoring: The system is restructured without behaviour changes to improve quality.

• Pair Programming: All code is written by two programmers at one machine.

• Collective Ownership: Anyone can change code anywhere, at any time.

• Continuous Integration: The system is integrated and built many times a day.

• 40-Hour Week: The team works only 40 hours per week.

• On-Site Customer: A real user should be on the team, full time.

• Coding Standards: Coding standards are established.



It is based on five principles:

• Rapid Feedback

• Simplicity

• Incremental Change

• Embracing Change

• Quality Work

The Rational Unified Process (RUP)

The RUP (Rational Unified Process) is an incremental process geared towards the development of object-orientedsystems. In a grey area between document driven and agile methods.

• Comes with a lot of tool support

• There are sources and templates

• There are sources and templates for documents

• Complements UML.

Has four phases, each of which may have several iterations.

• Inception: initial concept

– Pitching the project

– Usually informal “maybe we should build a ...”

– Gets clear objectives

– Estimates Overall Cost, schedule, and risk

– Critical use cases developed

– Candidate architecture developed

– Business case must be clear by the end

• Elaboration: exploring requirements

– Adding detail to understanding of the system

– Analyzes the problem domain

* Domain model

* Analysis model

* Requirements document

* Release plan

– Obtains a sound architecture

– Most use cases identified by the end

– All major risks resolved by the end

• Construction: building the software

– Design and implementation

– Manufacturing and building process



– Develops deployable products

– Complete components developed and tested

– User manuals written

– First operational system, the beta release, is ready by the end

• Transition: final packaging

– System is released

– Activities that can not be done during construction

* Performance tuning

* User training

* Beta-Testing

* Legacy system phased out (if one)

In it’s second dimension it has nine “workflows”,

• Business Modeling

• Requirements

• Analysis and Design

• Implementation

• Test

• Deployment

• Configuration and Change Management

• Project Management

• Environment

The release plan set up during elaboration,

• Phases are divided into increments each ending with a release

• A release is a prototype that implements some part of required functionality

– Acceptance by management shows readiness to move on

• The release plan records the decisions about:

– How many releases there will be

– What functionality is added in each

– When the releases will be made

– Which release are internal and which are external

It is based on best practices,

• Iterative Development

• Requirements Management

• Architecture and use of Components

• Modeling and UML

• Quality of Process and Product



• Configuration and Change Management

• Use-Case-Driven Development

• Process Configuration

• Tool Support

Usability,

• Advantages

– Process details are made generally allowing local customization

– Heavy emphasis on documentation (UML

– Can embrace incremental releases

– Evolutionary approach can lead to clean releases

• Disadvantages

– Process details are made generally (minimal guidance)

– Heavy documentation can be expensive

– Complex

Team Organization

Team organization is a major part of the software development process. Within a team different roles may be estab-lished such as,

• Managers

• Testers

• Designers

• Programmers

• Quality Assurance

General Principles

• Use fewer, and better, people

• Try to fit tasks to the capabilities and motivation of the people available

• Help people to get the most from themselves

• Select people to ensure a well-balanced and harmonious team

• Remove people who do not fit the team

Hierarchical Organization

• One team per major subsystem

• Teams report to managers

• Managers report to one or more levels of higher managers

This type of organization often reflects the system being built for example,



• Project Manager

• Individual subsystem, QA (Quality Assurance), and testing managers

• Individual Subsystem, QA, and testing teams

One major disadvantage is the detachment from the “real project” that occurs in higher levels of management. Thismay cause standards to be imposed that are obviously completely absurd from lower levels. Further, in favor of positiveevaluations, information passed up each level tends to get a little more rose colored. This telephone game can lead toa very large misrepresentation of the projects progress at the top level.

Another disadvantage is that often rank equates to reward level.

Matrix Organization

Often used in environments where software is simply a byproduct. Usually people from different departments areallocated to software projects, sometimes only part-time. It is also used in dedicated software projects though.

• Small group

• Specialized

– Graphics

– Programming

– Databases

– User Interfaces

– Quality Control

– etc.

• Units are organized by specialty

Real-Time Programming Graphics Databases QA TestingProject C X X XProject B X X X XProject A X X X X

Chief Programmer Team

Attempts to allow the most productive people to work unhindered.

• Chief programmer is team leader

– Takes care of the design

– Implements key parts of the system

• Assistant programmer assists the chief and does rest of implementation (stand in for the chief if needed)

• Librarian handles documentation, deployment, code management, etc.

• Specialists augment the team

Effects on development,

• Very coding centric

• High stress on chief

• Low level of satisfaction for the rest of the team



• Does not scale well

SWAT Teams

A team organization for iterative process models,

• Small teams sharing a workspace

• Heavy tool support

• Team leader is “first among equals”

Agile Teams

• Small teams sharing a workspace

• One team manager

• Often a full-time cutomer/stakeholder on the team

• Team sets their own best practices

– Tool selection

• Emphasis on self-management and self-motivation

– Professional pride

Distributed Teams

Common in open-source development.

• Small core team responsible for project “vision”

• Associate developers submit patches, changes, etc.

– Must be approved by core team

– A pull request is a request for others to check out a proposed change

• Users submit bug reports and feature requests

– May be prioritized by core team

– Associate developers are not prohibited from working on a low-priority request

Open Source Software Development

Typically structured in an onion shape,

• Core team

– Small experienced team

– Acts as the management team

– Kernel components of the software may only be changed by the core team

• Co-Developers

– Larger group



– Review code

– Fix bugs

• Active users

– Users of the most recent release

– Submit bug reports

– Submit feature requests

• Passive users

– Use stable release

– Do not interact with the project

Due to being voluntary nature there are specific challenges to such a team,

• Motivation to remain active

• Disagreement between developers

• Communication between developers

1.7.2 Introduction to OOD and Programming

Taking classes and objects beyond mechanisms, going beyond stepwise refinement and top-down design, and focusingon effective design and organization constructs. The OOA&D (Object Oriented Analysis and Design) process may beuseful to even if not useing an Object Oriented language.

Workflows

Two major models:

• Traditional

• Agile

All workflows consist of:

• Analysis

– What the system TOI is

– How does the real world system work


– Use cases

• Design

– How to organize

– How to accomplish the goals

• Implementation

– UML

– Write code

– Write tests



– Finalize the current TOI

• Validation

– Decide if implementation is acceptable

– Discuss decisions with a domain expert

– Formal proof

– Testing

– Reviews

Workflows must be viewed in terms of the current TOI. Then when each TOI is finished the next one is started. Forexample when writing an ADT this process would be repeated for each phase of the design, analysis of the problem,design, writing tests, writing code, and validation.

Software Process Models

The waterfall model is the most widely known process, and is traditional. The name overlap between the goals andstage of development does not mean the same thing. It is very formal, very rigid, very unpleasant.

• Waterfall Model

– Requirements

* Define requirements in a requirements specification

* Language is very important, “shall”, “should”, etc.

* Specify Behaviors

– Design

* Design documentation

* Derive a solution to the requirements.

* Phases

· Architectural (Hardware)

· High-Level (ADTs)

· Low-Level

– Implementation

* Code, application & test

* Easy day

– Verification & Validation

* Does the system meet user needs

* Have requirements been met

* Is the domain expert happy

* Do the requirements need to be changed

* Does it work in a real environment vs. testing

– Operation & Maintenance

* Development lifecycle



· Prioritize change

· Make changes

· Validate changes

· New tests

· Validate changes don’t break old code

· Regression testing

Iterative development is from the agile school of thought. Good for exploring alternatives, can help to find poorlyunderstood requirements.

• Iterative Development

General OO Analysis & Design

1. Domain model

2. Analysis model

3. Design Model

Start by building a domain model and model, likely a model of the “real” world system to better understand how itworks. This phase may not be needed if the team already has a good understanding of the domain.

Selecting & Identifying Classes

As part of the analysis phase this early the focus should be on building a conceptual model. Write description of prob-lem highlighting Noun & Verb phrases and use them to collect a list of candidate classes. Then Eliminate synonyms,Refine terms and choose better names. Ensure that the terms are specific and used consistently, and that classes arecapitalized & singular. Before moving on finalize the list.

CRC (Class-Responsibility-Collaboration) cards

Used for brainstorming to model the problem domain, that is CRC cards are used while working on the domain model.CRC Cards are not design, they are not for selecting data structures or thinking about code. This is an early part of theanalysis phase, and many mistakes will be made. The documentation on the problem is likely in a natural language,general, and the real world model is likely poorly understood by the software team. This is largely just a way to learnabout how the system should really work and dispel misconceptions early in the game.

Class NameResponsibilities Collaborators

If there is no way to elaborate on something it should not get a card and there is also no need for anything that cannot be modeled as a class to have a card. It is important to differentiate between similar or related attributes, such asthe difference between unit cost and total cost. This is a good place to start eliminating such ambiguous language.Creating CRC cards:

1. Start with blank CRC cards.

2. Write a Candidate Class on the top of each card.

3. Fill in the Candidate Responsibilities, and attributes.

4. Fill in collaborators.

5. Look for variant behavior.



6. Revise.

7. Return to step 6.

Collaborations may take the form of a request for information or a request to do something. The vertical positionof the collaborators also has no significance it is not to correspond to anything, as such they are never listed twice.Consider the following (incomplete) cards:

SpaceshipTail Code Space StationThrustersEngineWeapons

Space StationHandles Docking of SpaceshipsHandles Launching of Spaceships

Here a Spaceship must request permission from Space Station to dock with it. The Space Station then checks if spaceis available and decides whether or not to grant permission.

A-B-C Rule says that if A does B to C (Spaceship - Docks - with Space Sation):

• Doing B (docking) is a responsibility.

• B (docking) is usually a responsibility of C (Space Station), not A (Space Ship).

• C (Space Station) is then a collaborator of A (Spaceship).

Here the space station would handle the docking possibly with a tractor beam then the model would allow it. Thisallows the space station to take over once docking is requested and handle checks and space allocation to accommodatethe ship. If a class (Space Station) is in the collaborator list of a card (Spaceship), then there needs to be someresponsibility belonging to the card listed as a collaborator (Space Station) that it makes sense for the class (Spaceship)to call or make use of. This also means that if a class has no responsibilities (such as actors), then it can not be acollaborator.

void Spaceship::requestDocking(SpaceStation station) {station.dock(this);

}

Managing collections deviate from this, for example if the space station also manages a log of the comings and goingsthen the container would be handled as:

Space Station LogPermits addition of Docking Data

With the understanding that adding new elements in a container are done by the container itself and not the element.

list<DockingData> dockingData;

d.insert(swordfishII);

This would never be written as:

swordfishII.insertInto(dockingData);

A spaceship entering itself into a log would just be crazy, I mean the entire purpose of the log is likely to track piratesand such so they could just enter a fake name like Jack Sparrow or something.



When Assigning responsibilities it is important to consider the A-B-C Rule and also check to make sure that it worksin the context. The responsibilities will eventually become messages sent to the class they are the responsibility of andthen into member functions of an ADT, which should be a good way to tell who to assign the responsibility to.

Unified Modeling Language

Domain model

The general goal is to take CRC cards and model them into more formal documentation that can be shown to peopleoutside of the dev team. UML provides for different types of diagrams and they will look very different at differentphases of development.

Perspectives:

• conceptual

– domain model

– Conceptually things that will be functions are attributes

– Do not list public/private or make everything public

• Specification

– ADTS (Abstract Data Types)

– Start listing data types

– Start determining what will be functions

• Implementation

– Interface Implementation

General Considerations Diagramming in Context, diagrams are part of a strategy and they need explanatory text inorder to effectively communicate ideas. If two paragraphs are needed to explain a diagram consider breaking it downinto smaller parts.

Class Diagrams

• types of relationships in the system

• selected static relationships among classes

– generalization

– association

Generalization Subtype is specialization of a supertype.

• Represented with a solid line and an arrowhead.

• Used to represent inheritance

• conceptual: subtypes are also instances of the supertype

• specification: subtype interface contains interface of supertype

• implementation: syptype inheritas attributes/ops of supertype

• diagramming

– symbol: arrow w/ unfilled, trangular head



– Points to class being specialized

– Reads: “is a specialization of”, “is a kind of”, or “is a”

• multiple specializations

– arrows grouped together to show related, mutually exclusive, divisions

– good place to elaborate on what the diagram is saying with text

Association

relationship between instances of classes

• Shown as lines connecting classes

• Decorations: make associations meaningful

– Relationship Names: written middle, has direction

– Direction Indicator

– Multiplicity

* how many intances of a class participate in the relationship

– Navigability

* defaults to two way

* not very useful in a conceptual diagram

* no role name for unnavigable direction

– Role: written at end of association

* directional purpose of an association

* not the association itself

* role vs attribute

· association: relationship not 1 to 1

• Should make sense when read out loud

• unnamed associations are useless

• specialized associations

– occur frequently

Special Associations are types of associations that occur so often they have been given special symbols that replacenames and sometimes role labels.

• Aggregation

– arrowhead unfilled diamond

– “is part of”, other way “has a”

– Normally not named

– conceptual

* may not make sense like in implementation modeling

* should “read” well both ways

• Composition



– arrowhead filled diamond

– Stronger form of aggregation

– Expresses linked lifetime

– What else is destroyed along with a container

– More often used in implementation phase than conceptual

• Qualification

– Class acting as an index, lookup intermediary

– related to multiple instances of another

– Acessors through intermediary classes

• Dependency

– Indicated by a dashed line ending with a navigability arrowhead

– Not ususally in conceptual phase

– Implementation detail

– Shows class dependancy

– MVC model is a common representation

– What classes must be changed when changes are made elsewhere.

Other class design elements also have indicators but they are not used as often.

• Parameterized classes

– Represent similar concepts

– Templates

• Constraints

– Denoted by text inside brackets {x must have y}

• Stereotypes

– Extension mechanism

– Ex: iterator is an interface not a true class

• Satisfies / Realizes

– Both inheritance and dependency

HTML HTMLColor class with three components RGB 0-255, modeld in UMNL:

HTMLColorRedGreenBlue

From the description they are integers which is a primitive type and can not be represented by a class.



Inheritance

A way of modeling variant behavior. Is used to seperate out parts of an ADT into generalized and specialized classes.A good example of this is the hierarchy of types of animals, for example all the types of birds have a bird base class andspecializations for their type. Inheritance is a way to model this. This is commonly refered to as the is-a relationship.As in a hawk is a bird, or a penguin is a bird. Conceptually, class A is a generalization of B if every B object is alsoan A object and by extension everything about A is also true for B.

At the specification/implementation level, class A is a generalization of class B if B conforms to the public interfaceof A. This is bringing it back to the more formal view of ADTs as a contract. For example a check, withdrawal, anddeposit can all be modeled as specializations of a more general transaction.

Multiple Inheritance

Deals with class’s members

Inherting from multiple base classes, common during conceptual/specification (domain/analysis models) but is gen-erally removed before implementaiton due to the complications it can cause. It often leads to inheritance of multipleattributes that represent the same attribute.

Subtyping

Deals with non-members

type C is a subtype of D if a value of type C may be used in any operation that expects a value of type D. C is called asubcalss or subtype of D, D is called a superclass.

Should be able to pass in any subtype where the supertype is expected.

In most OO (Object Oriented) languages:

superObj = subObj;

Is ok but not:

subObj = superObj;

Generally assigning to a superclass object simply discards extra data, but assigning to a subclass requires the systemto invent data.

Describing Inheritance

• Specialization

– New class is a specialized form of the parent class

– Satisfies the specification of the parent in every aspect

– New class may be substituted for a value of the parent anywhere

• Specification (“Shared Protocol” Pattern)

– A parent class specifies a common interface for all children

– The parent does not itself implement the behavior

– Abstract Classes



* Base classes in inheritance-for-specification are often abstract

* Base class exists to define a protocol

* Not to provide actual objects

– Defining Protocols

* Superclass defines the protocol

* Subclass implements the messages of the protocol

* Application code invokes the messages of the protocol without worrying about the underlying meth-ods

• Extension

– A limited number of “new” abilities is grafted onto an otherwise unchanged superclass

– Often criticized as “hacks” reflecting afterthoughts & poor hierarchy designs

– Often there is a cleaner way to achieve the same design

– A “socially acceptable” form of extension is the mixin

Abstract Base Classes

class Set {...virtual Set& add (int) = 0;...

};

Here in C++ the = 0 denotes that no method exists in this class for implementing this message, and add is calledan abstract memeber function. Any class that contains such a function is called an Abstract Class, such classes aregenerally used specifically to generate objects.

The Observer Pattern

A design pattern or idiom of Object Oriented programming based on 2 mixins, an observer that can ask an observableobject for notification of any changes, and an observable that will keep track of a list of observers and notify themwhen its state changes.

Shapefactory Example

The factory model is used to manage an inheritance higherarcy which is done by instantiating object using a key. Inorder to add a new model to the factory you update the factory and not the rest of the code, this allows for abstractionof the allocation of objects within an inheritance higherarcy.

Keeping track of a Shape hierarchy including an arbatrary number of shapes. A common approach is the factorymodel, some language it is exists in inculde:

• C++

• Java

• Python



Uses a key which matches to a model of the shape which it can then create, allocate, keep track of, modify, and deletethe shapes. The Shape factory must know about everything it uses. The shape factory itself is just an orginizationaltool.

Circle

Square

Triangle Equilateral Triangle

Right Triangle

Sharing Pointers and Garbage Collection

Sometimes, sharing is essential to the behavior of the data structure, this is common among algorithms associated with“graphs” not every data structure needs to be hidden. When sharing pointers it can become confusing when somethingcan be deleted and the aggresive approach can cause problems such as infinite recursion and data structure corruption,but at the same time memory leaks are undesierable.

Garbage: objects on the heap that can no longer be reached from any pointers on the activation stack. Determiningwhen something son the heap has become garbage is difficult so some languages take over this job for the programmer.This has a performance tradeoff but may be worth it depending on the application. Some ways this is handled:

• Reference Counting: Simplist way

– Keep a hidden counter in each object on the heap to keep track of the number of pointer to that object.

– Each time we reassign a pointer that used to point at this object the counter is decremted.

– Each time we reassign a pointer so that it now points at the object, we increment the counter.

– If that counter reaches 0, the object is garbage and is dealocated.

This can not be done with “real” pointers so some languages may provide “smart” pointers. Reference counting won’twork with cycles however. Mark and sweep works better with cycles.

• Mark and Sweep

– Each object on the heap has a hidden “mark” bit

• Ownership Model

Each solution has trade offs, there is no best for each case solution.

Use Cases

Works with objects, or actual instances, and not classes like UML class diagrams did. This is a way to refine thedomain model. OOA&D is scenario driven, scenarios are “stories” that describe intercation between a system and it’suser. Stories are usually in an informal language and contain many variants including errors, exceptional cases, etc.They are gathered (during Elaboration) from documents and interviews from/with the domain expert.

A Use Case is:

• a colection of scenarios

• related to a common user goal

• in common step-by-setp fashion



They are used for:

• Guiding analysis and design

• Validate models by walking through Use Cases

They are developed with an iterative evolutionary approach.

Different types of interations:

• Generalization

• Extends

Interaction DIagrams

Looks at the runtime view of objects. Really just a picture representing the passage of time as the code runs.

There are two kinds

sed sequence diagram editor

• Collaboration Diagrams

– Older

– Do not scale well

– Main components are objects

– Objects that exchange messages are connected by links

– An * in front of a call means it can be made multiple times

• Sequence Diagrams

– For specific use-case or common interactions

– Who calls who and in what order

– Activation boxes

* Per function not per object

* A thin vertical box that represents the time a function is active

* Show when a function call is active

* Incoming arrow to an activation box must connect to the top

* Outgoing arrows “return values” must go back to calling funciton

* Activations can overlap

– Returns: can use dashed line for void returns for cleaner visuals.

– UML 2.0 introduced frames to group messages

* Options and Loops

* Can reference other frames in other docs

Sometimes something needs to be passed as a message, this can be done by making an object a named object insteadof anonymous. When determining what is a message the ABC rule is important. Again do not try to capture the wholepicture in one diagram, try to capture a coherant message.



Dynamic Binding

Dynamic binding is very important for allowing different classes to respond to the same message with different meth-ods. Some say that no language without dynamic binding is an OOPL (Object Oriented Programming Language). Theterm binding is used in a general sense in realation to programming languages to denote the association of infromationwith a symbol. for example:

• a = 2 is a binding of a value to a variable

• String s is a binding of a type to a variable name

But with OOP (Object Oriented Programming) we are interested in binding a function body (method) to a functioncall:

a = foo(b);

The decision as to what code will be executed for the call to foo will be decided at different times based on theprogramming language. In traditional compiled languages such as FORTRAN, PASCAL, C, etc. the decision is madeat compile-time which has the following attributes:

• The decision of what code will be executed is immutable

• If the statement is inside a loop, the same code must be invoked for foo each time

• Compile-time binding is cheap - has very little execution-time overhead

In traditional interpreted languages such as LISP, BASIC, etc. the decision is made at run-time with the followingattributes:

• The decision of what code will be executed is mutable

• If the statement is inside a loop, different code may be invoked for foo each time

• Run-time binding can be expensive - high execution-time overhead, because it suggests that some sort of deci-sion or lookup is done at each call

OOPLS (Object Oriented Programming Languages) often use dynamic binding with the following implications:

• The choice method is made from a relitively small list of options

• The list of choices is determined at compile time

• The final choice is made at run-time

• The options that make up that list are organized according to the inheritance hierarchy

In non-traditional languages binding teqniques may vary:

• In Java, all functions calls are resolved by dynamic binding

• In C++, we can choose between compile-time and dynamic binding

The Key Pattern

Dynamic binding is important because it lets us write application code for the superclass that can be applied to thesubclasses, taking advantage of the subclasses’ different methods.

BaseClass* x;

for(x in xs) {x->virtualFunctrion(thingsNstuff);

}



Here using dynamic binding to apply a subclass-appropriate behavior to each element of a collection, assuming C++for illustration:

• Each time around the loop will extract a pointer from the collection

• But when virtualFunction is called through the pointer, the runtime system uses the data type of the thing pointedto, to determine which function body to invode.

This is the heart of OOP

Difference between Subtyping and Inheritance

• Subtyping

– Is about gaining attributes and/or functionality of super types

– refers to compatibility of interfaces. A type B is a subtype of A if every function that can be invoked onan object of type A can also be invoked on an object of type B.

• Inheritance

– Is about implementing an interface, and being able subsitute different implementations of that interface atrun-time.

– refers to reuse of implementations. A type B inherits from another type A if some functions for B arewritten in terms of functions of A.

1.7.3 SOLID Principles of OOD


Introduction

Object oriented programming languages have been widely adopted by programmers in place of imperative languages.There are very commonly heard reasons for this that are completely false including “It better models the real world”and “It is closer to the way we think.” While objects may be a better way to model some systems it surely isn’t forothers, these are simply marking slogans invented as a way to sell the idea to executives.

Another common misconception is that this was because they provide encapsulation, inheritance, and polymorphism.That was obviously not the case:

• C provided perfect encapsulation using header files. In fact encapsulation was weakened with OOP using privateand public which was a hack.

• Inheritance was possible in C, although a little more difficult.

• Polymorphism worked just fine in C:

Listing 1.5: copy()

void copy() {int c;while ((c = getchar()) != EOF)

putchar(c);}



The problem with polymorphism in C was that it was dangerous to use. C++ was the first language to offer an easy andreliable way to use it, which in turn allowed the flow of project dependencies to be selectively re-inverted from theirtraditional hierarchical flow. This is a useful tool for designing modules without fragility, rigidity, and non-reusability.

tl;dr

SOLID Class Design Principles

• SRP: Single Responsibility Principle

– A class should have one, and only one, reason to change.

– Don’t put functions that change for different reasons in the same class.

– Formatting, calculating, database, and other concerns should all be separated.

• OCP: Open/Closed Principle

– Modules should be open for extension, but closed for modification.

– It should be possible to change what the module does without changing the module.

• LSP: Liskov Substitution Principle

– Derived classes must be usable through the base class interface, without the need for the user to know thedifference.

• ISP: Interface Segregation Principle

• DIP: Dependency Inversion Principle

Open/Closed Principle

For an example of how to design by OCP the C copy() function shown earlier can be extended simply by writing anoptical character reader without having to modify copy() itself. An example of how not to design by OCP:

Listing 1.6: drawAllShapes.c

26 void DrawAllShapes(ShapePtr list[], int n) {27 int i;28 for(i=0; i<n ;i++) {29 ShapePtr s = list[i];30 switch(s->itsType) {31 case square:32 DrawSquare(s);33 break;34 case circle:35 DrawCircle(s);36 break;37 }38 }39 }

Listing 1.7: shape.h

1 #ifndef SHAPE_H2 #define SHAPE_H3



4 typedef struct Shape* ShapePtr;5 typedef struct Point point;6

7 enum ShapeType {circle, square};8

9 struct Point {10 int x;11 int y;12 };13

14 struct Shape {15 enum ShapeType itsType;16 };17

18 #endif

Listing 1.8: square.h

1 #ifndef SQUARE_H2 #define SQUARE_H3

4 struct Square {5 enum ShapeType itsType;6 double itsSide;7 point itsTopLeft;8 };9

10 void DrawSquare(ShapePtr);11

12 #endif

Listing 1.9: circle.h

1 #ifndef CIRCLE_H2 #define CIRCLE_H3

4 struct Circle {5 enum ShapeType itsType;6 double itsRadius;7 point itsCenter;8 };9

10 void DrawCircle(ShapePtr);11

12 #endif

If the program is to be extended with a new shape the first line that must change is the enum in shape.h to somethinglike:

enum ShapeType {circle, square, oval};

Every other module depends on shape.h so circle.h and square.h need to recompile because an oval was added eventhough circles and squares don’t care about ovals. Needing to compile more often than needed is a symptom of rigidcode. Also the switch in drawAllShapes.c needs to be modified to add the oval case. This maybe isn’t bad for just oneswitch statement, but it is reasonable to consider that besides drawing shapes there is a switch for every other action



for shapes including erase, drag, rotate, etc. and now they must all be found and modified. So this code is also fragilebecause it is likely something will be missed when trying to track down all the switch statements and it will break.

Also drawAllShapes.c can not be separated from the various shapes because it’s switch statement has a dependencyon each shape. circle.h, square.h, and any other shapes must all be deployed with drawAllShapes.c they can not beseparated, this is immobility.

A better example:

Listing 1.10: drawAllShapes.cpp

24 void DrawAllShapes(Shape* list[], int n) {25 for(int i=0; i<n ; i++) {26 list[i]->draw();27 }28 }

Listing 1.11: shape.h

1 #ifndef SHAPE_H2 #define SHAPE_H3

4 class Shape {5 public:6 virtual void draw() const=0;7 };8

9 #endif

Listing 1.12: square.h

1 #ifndef SQUARE_H2 #define SQUARE_H3

4 class Square {5 public:6 virtual void draw() const;7 };8

9 #endif

Listing 1.13: circle.h

1 #ifndef CIRCLE_H2 #define CIRCLE_H3

4 class Circle {5 public:6 virtual void draw() const;7 };8

9 #endif

Now drawAllShapes.cpp loops through the shapes and tells each one to draw itself. Now if an oval is added nothingneeds to be recompiled, so it is not rigid. Everything that can be done to a shape must be done in that shape, so there



is no way to forget to implement an operation and it is not fragile. Best of all ref:good_drawAllShapes-cpp has noidea that square.h or circle.h exist. The high level does not know the low level details.

There can still be a problem though. This design protects us from new shapes. It can be extended with new shapeswithout any problems, but what if the customer does not care about having new shapes. They want all the circles to bedrawn first then the squares. This is where the “real world model” breaks down.

The work around is to implement the simplest thing possible, and get users to suggest new features. This allows betterguesses about what abstractions are needed to protect you.

LSP: Liskov Substitution Principle

The Rectangle/Square problem:

void Square::SetWidth(double w) {

width = w;height = w;

}

void Square::SetHeight(double h) {

width = h;height = h;

}

Rectangle was written a long time ago and now there is a new requirement for a square class. Square in the “realworld” is obviously a special case of Rectangle so it would make perfect “real world” sense for Square to inheritfrom rectangle. This falls apart though, at the realization that Square will inherit two fields when it only needs one,



it can not inherit from Rectangle and only have one field. A possible (bad) solution to this would be to overrideSetWidth() and SetHeight() in Square so that they both set the height and width.

Now some user of Rectangle calls SetHeight() not knowing that they had been passed a Square, they havethe right to expect that the width won’t change but it does. The internal finite state machine is then corrupted, and inturn the heap is corrupted. After tracking down the obscure bug, code is added to guard against squares with an ifcreating a dependency on Square and making the code fragile and rigid and also violating the OCP.

Again we have a breakdown with the perfect “real world” model. While it is true that a square is a rectangle, the classSquare is a piece of code representing a square but is not a square and the class Rectangle is a piece of coderepresenting a rectangle but is not a rectangle. The representatives of things do not share the relationships of the thingsthey represent.

1.7.4 Using Shinx with Breathe and Doxygen


Introduction

Sphinx generates beautiful documentation from docstrings in the code which eliminates the need to write documen-tation twice, once in the files and once in separate documentation. Unfortunately currently only Python is supported.Doxygen on the other hand supports many languages but produces ugly and less intuitive documentation. To bridgethe gap between the two tools Breathe uses Doxygen’s XML output to allow Sphinx to be used with other languages.

tl;dr

Setup

Install Breathe

If pip is not installed install it then install the latest version of Breathe:

apt-get install python-pippip install breathe

Install Doxygen

Doxygen should be available on most Linux package managers:

apt-get install doxygen

Configure Doxygen

Create a Doxygen configuration file for each directory that has code that will be documented.

doxygen -s -g

If no name is given the default config file output will be named Doxyfile. Then edit the config file to produce XMLoutput. Find the XML options and set GENERATE_XML to YES:

#---------------------------------------------------------------------------# Configuration options related to the XML output#---------------------------------------------------------------------------GENERATE_XML = YES



XML_OUTPUT = xmlXML_PROGRAMLISTING = YES

Optionally set GENERATE_HTML and GENERATE_LATEX to NO. Then run Doxygen with the config file options:

doxygen Doxyfile

Configure Sphinx

Add Breathe as a Sphinx extension:

extensions = [ "breathe" ]

Edit conf.py:

breathe_projects = {"project":"../project/c_src/xml/",

}

breathe_default_project = "my_project"

Now Doxygen directives can be added to the projects Sphinx docs:

.. doxygenindex::

.. doxygenfunction::

.. doxygenstruct::

.. doxygenenum::

.. doxygentypedef::

.. doxygenclass:: my_class:project: my_project:path: ../path/to/doxygen_ouput/xml/:members: my_memebrs

For each command both project and path directives can be used to specify which of the breathe_projectsto use overriding the default values in conf.py.

1.7.5 Glossary


A-B-C Rule If “A does B to C” then “doing B” is a responsibility, usually of C not A, and C is then a collaborator ofA.

Abstraction A creative process of focusing attention of the main problems by ignoring lower-level details.

Acceptance Test, Acceptance Tests A test conducted by the customers or their representatives to decide whether topurchase/accept a developed system.

Actor, Actors Send messages to other classes but nothing in the model sends messages to them. Have no responsi-bilities.

Analysis Model Model of how the world will interact with the software system, or what the system will do when itis working.

Deep Copy Copied objects keep exclusive access to things they point to. The copied object’s pointers will point toit’s very own copy of the data or data structure of the original object.

Design Model Model of how to get the system to do the things the analysis model says it should.



Domain Model Model of the application domain as it currently exists, before the development project begins. Thepurpose is to be sure that the team understands the world that the problem exists in.

Integration Test, Integration Tests Tests of “subtrees” of the total project hierarchy chart (groups of subroutinescalling eachother). This is generally a team responsibility.

Mixin, Mixins A class that makes little sense by itself, but provides a specialized capability when used as a baseclass. In some languages (that support it) Mixins often wind up involving multiple inheritance.

Pair Programming Two programmers work at the same screen one programming and one looking over the othersshoulder to give advice, notice mistakes, ask questions, and help as a co-pilot. The roles may shift at any giventime.

Regression Test, Regression Tests Unit/Integration/System tests that are repeated after a change has been made tothe code.

Server, Servers Accepts messages but sends none. Often represents a low level class that is just a collection ofattributes. Has no collaborators.

Shallow Copy All pointers are copied, this leads to shared data on the heap. The copied object’s pointers will pointto the same data or data structure as the original object.

System Test, System Tests Test of the entire system, usually supervised by team leaders or by V&V specialistsalthough many companies have independent teams for this.

TOI (Topic of Interest) What is being worked on at the moment.

Unit Test, Unit Tests Test for individual subroutines and modules, usually conducted by the programmer.

1.8 Data Structures and Algorithms

1.8.1 Arrays and Lists


Linked Lists

Using the c++ standardly library <list> it is possible to access the std::list container which is implementedas a doubly-linked list which allows them to store elements in differnet and unrelated storage location. The classalready contains a number of methods including iterators, capacity, element access, modifiers, observers, and variousoperations.

Making Objects Linkable

Listing 1.14: foo.h

class foo {public:

foo() {next = Null;

}

void setnext(foo* n) {next = n;



}

foo* getnext() {return next;

}

void makenew() {next=new foo;

}

private:foo* next;

};

Listing 1.15: foo.cpp

#include "foo.h"

main() {foo* current;foo* head = Null;for(int i=0; i<100; i++) {

if(head == Null) {head = new foo;current = head;

} else {current->makenew();current = current->getnext();

}}

}

Now to find a particular foo:

Listing 1.16: find_foo.cpp

#include "foo.h"main() {

foo* current;cin >> target;current = head;

// Not accounting for non existing casewhile(current->getid() != target) {

current = current->getnext();}current->display();

}

Iterators

C++

1.8. Data Structures and Algorithms 165


Listing 1.17: scores.cpp

#include <iostream>#include <list>

using namespace std;

int main(int argc, char* argv[]) {

list<int>scores;list<int>scores2;list<int>::iterator sitr;int x;int n;

cout << "How many scores?"; cin >> n;

for(int i=0; i<n; i++) {cout << "Score?"; cin >> x;scores.push_back(x);

}

cout << "All scores" << endl;scores.sort()sitr = scores.begin();while(sitr != scores.end()) {

cout << * sitr << end;sitr++;

}}

Listing 1.18: whiskey.h

class whiskey {pubic:

whiskey(){}~whiskey(){cout<<"Glug..glug...glug"<<endl;}

void setlabel(string s) {label = s;}void setage(int a) {age = a;}stirng getlabel() {return label;}int getage() {return age;}void display() {

cout<<age<<" year old " <<label<<" whiskey"<<endl;}

private:

string label;int age;

};



Listing 1.19: whiskey.cpp

#include <iostream>#include <stdlib>#include <string>#include <list>using namespace std;#include "whiskey.h"

int main() {

list <whiskey> mydrinks;list <whiskey>::iterator witr;

whiskey * wptr;

int n;int a;string s;

cout<<"how many types?"<<endl;cin>>n;for(int i=0; i<n; i++) {

cin.ignore();cout<<"what label?";getline(cin,s);cout<<"how old?"; cin>>a;wptr = new whiskey;wptr->setlabel(s);wptr->age(a);

mydrinks.push_back(* wptr);}

witr=mydrinks.begin();while(witr != mydrinks.end() {

witr->display();witr++;

}return EXIT_SUCCESS;

}

Python

Haskell’s lazy evaluation of infinite lists is an amazing tool to have, and it is possible to create a similar constructionusing iterators. With the Catalan object a iterable class has been created that allows either an infinite or a sizecapped list to be created. It iterates over the list of catalan numbers which are defined recursively as:

𝐶𝑛+1 = 𝐶0𝐶𝑛 + 𝐶1𝐶𝑛−1 + ... + 𝐶𝑛𝐶0

For a python object to be iterable __iter__() must be implemented, and to be a valid iterator it must provide__next__(). These are special methods which is denoted by the leading and trailing __ and never meant to beexplicitly called. Calling iter(f) calls f.__iter__ and next(f) calls f.__next__. The following codeexample can be downloaded from the caption link.



Listing 1.20: catalan.py

1 class Catalan():2

3

4 def __init__(self, n):5 self.n = n6 self.current = 17 self.cache = []8

9 def __iter__(self):10 return self11

12

13 def __next__(self):14 catalan = 015

16 if self.cache == []:17 catalan = 118

19 elif self.cache == [1]:20 catalan = 1;21

22 else:23 for fwd, bkwd in zip(self.cache , reversed(self.cache)):24 catalan += fwd * bkwd25

26 self.current = catalan27 if self.current > self.n:28 raise StopIteration29

30 self.cache.append(self.current)31

32 return catalan

With this it is easy to output the set of catalan numbers less than n:

>>> for x in Catalan(100):... print(x, end=' ')...1 1 2 5 14 42

They can easily be stored in a list:

>>> cats = []>>> for x in Catalan(1000):... cats.append(x)...>>> cats[1, 1, 2, 5, 14, 42, 132, 429]

Using a little math a lazy infinite list can be created:

>>> import math>>> cats = []>>> cat_iter = iter(Catalan(float("inf")))>>> for x in range(6):... cats.append(next(cat_iter))


http://docs.python.org/3.4/library/math.html#module-math


...>>> cats[1, 1, 2, 5, 14, 42]>>> cats.append(next(cat_iter))>>> cats[1, 1, 2, 5, 14, 132]

See python module itertools for usefull Haskell like iterator tools.

Ragged Arrays and Lists

Ragged arrays, also known as skylines are simply 2-D arrays with varying lengths. By representing data in such a wayit makes it possible to represent and quickly iterate through data structures such as one containing the days in a monthwhich varies. An even more practical use is when storing large matrixes that have a lot of 0’s.

C++

Listing 1.21: day.hpp

class Day {

public:Day();Day(const int d);~Day();

void display(std::ostream &outs) const;int getDay() const;

private:const int day;

};

Listing 1.22: month.hpp

class Month {

public:Month();Month(int month, int numDays);~Month();

void display(std::ostream &outs);int getMonth() const;std::list<Day> getDays() const;

private:const int month;std::list<Day> days;std::list<Day>::iterator ditr;

};


http://docs.python.org/3.4/library/itertools.html#module-itertools


Listing 1.23: year.hpp

class Year {

public:Year();Year(int year);~Year();

void display(std::ostream &outs);int getYear() const;std::list<Month> getMonths() const;bool isLeapYear(int yearNum);std::list<Month> setMonths();

private:const int year;const bool leapYear;std::list<Month> months;std::list<Month>::iterator mitr;

};

Listing 1.24: test.cpp

int main(int argc, char* argv[]) {

if(argc != 2) {return EXIT_FAILURE;

}

Year y(std::stol(argv[1]));std::cout << y;return EXIT_SUCCESS;

}

$ ./test 2000

2000-----------------------------------------------------------------------------------------1 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]2 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ]3 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]4 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ]5 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]6 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ]7 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]8 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]9 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ]

10 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]11 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ]12 [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ]



Python

The following examples can be downloaded from alpha.py and the test file alpha_test.py which builds andprints out a skyline. Alpha is simply a placeholder and could be anything that might be stored in a 2-D list, and its__str__() function serves only to be able to identify different instances of it in the output from alpha_test.py.Its constructor __init__(self, i) requires that the identifier i be passed when the object is created.

Listing 1.25: The Alpha class can be any generic container, object, or type.

class Alpha():

def __init__(self, i):self.value = i

def __str__(self):return "Alpha: {}".format(self.value)

Beta contains self.alpha_list which holds alpha objects, and method add_alpha which appends a newAlpha to it’s list. Its __str__() method first builds a list of alpha object strings using str(alpha) then returnsa string of the list of strings str(str_list).

Listing 1.26: The Beta class holds a regular list of Alpha objects.

class Beta():

def __init__(self):self.alpha_list = []

def __str__(self):str_list = []for alpha in self.alpha_list:

str_list.append(str(alpha))return str(str_list)

def add_alpha(self, alpha):self.alpha_list.append(alpha)

Gamma‘s constructor instantiates a list to hold Beta objects and requires that i be passed to set the number of Betaobjects to initially build the list with. __str__() will print the Beta objects as they represent themselves with theirsting function, one per line to make the skyline structure more visible. add_alpah adds a new Alpha to Betaindex i as long as index i does exist. add_beta simply appends a new Beta object at the end of beta_list.

Listing 1.27: The Gamma class holds a list of Beta objects creating a 2-D list.

class Gamma():

def __init__(self, i):self.beta_list = []for x in range(0,i+1):

self.beta_list.append(Beta())

def __str__(self):str_list = []for beta in self.beta_list:

str_list.append(str(beta))



return '\n'.join(str_list)

def add_alpha(self, alpha, i):if i < len(self.beta_list):

self.beta_list[i].add_alpha(alpha)else:

print("Insufficient Beta object available.")

def add_beta(self, beta):self.beta_list.append(beta)

Example skyline:

>>> gamma = Gamma(6)>>> for i in range(7):... if(i != 3):... alpha = Alpha(i+10)... gamma.add_alpha(alpha, i)... alpha = Alpha(i+100)... gamma.add_alpha(alpha, i)...>>> for i in range(0,5):... alpha = Alpha(i+1000)... gamma.add_alpha(alpha, i)...>>> print(gamma)['Alpha: 10', 'Alpha: 100', 'Alpha: 1000']['Alpha: 11', 'Alpha: 101', 'Alpha: 1001']['Alpha: 12', 'Alpha: 102', 'Alpha: 1002']['Alpha: 1003']['Alpha: 14', 'Alpha: 104', 'Alpha: 1004']['Alpha: 15', 'Alpha: 105']['Alpha: 16', 'Alpha: 106']>>> gamma.add_beta(Beta())>>> gamma.add_beta(Beta())>>> alpha = Alpha(7)>>> gamma.add_alpha(alpha, 7)>>> alpha = Alpha(77)>>> gamma.add_alpha(alpha, 10)Insufficient Beta object available.>>> gamma.add_beta(Beta())>>> gamma.add_beta(Beta())>>> gamma.add_alpha(alpha, 10)>>> print(gamma)['Alpha: 10', 'Alpha: 100', 'Alpha: 1000']['Alpha: 11', 'Alpha: 101', 'Alpha: 1001']['Alpha: 12', 'Alpha: 102', 'Alpha: 1002']['Alpha: 1003']['Alpha: 14', 'Alpha: 104', 'Alpha: 1004']['Alpha: 15', 'Alpha: 105']['Alpha: 16', 'Alpha: 106']['Alpha: 7'][][]['Alpha: 77']



1.9 Artificial Intelligence

One day the AIs are going to look back on us the same way we look at fossil skeletons on the plains ofAfrica. An upright ape living in dust with crude language and tools, all set for extinction.

—Nathan Bateman

1.9.1 Introduction to Statistical Learning


Those who ignore statistics are condemned to reinvent it. Statistics is the science of learning from expe-rience.

—Bradley Efron

History & Overview

In the 1980s computer scientists developed the field of machine learning as a subfield of artificial intelligence Aprimary focus was in neural networks. Meanwhile others followed a different framework to achieve that same goaland developed statistical learning which arose as a subfield of Statistics.

There is a lot of overlap between the two fields. Both solve supervised and unsupervised problems. Machine learninghas a greater emphasis on large scale applications and predictor accuracy, while statistical learning is concerned withmodels and their interpretability, and precision and uncertainty. The distinctions between the two have become lessdefined recently, but machine learning currently has the upper hand in marketing.

The Supervised Learning Problem

The idea of supervised learning is like teaching a child the difference between various colors. The child would beshown various colors and asked what they are, then as the child gets feedback on the guesses to the various colorspatterns are found and learned.

Some Notation:

• Outcome measurement 𝑌 , also called:

– Dependent Variable

– Response

– Target

• Vector of 𝑝 predictor measurements 𝑋 , also called:

– Inputs

– Regressors

– Covariates

– Features

– Independent Variables

• In the regression problem, 𝑌 is quantitative.

• In the classification problem, 𝑌 takes values in a finite, unordered set for example:

• We have training data (𝑥1, 𝑦1), ..., (𝑥𝑁 , 𝑦𝑁 )

1.9. Artificial Intelligence 173


– 𝑥1 is a vector of 𝑝 measurements.

– 𝑦1 is a usually single response variable.

– They are observations (examples, instances) of these measurements.

Objectives of supervised learning:

• Accurately predict unseen test cases.

• Understand which inputs affect the outcome, and how.

• Assess the quality of predictions and inferences.

Note: It is important to accurately assess the performance of a method, to know how well or how badly it is working.Sometimes the simpler methods perform as well as the complicated ones.

Unsupervised Learning

Here the child gets no feedback on what things are, so they must be internally grouped by observations of features. Itis about learning how the data is organized and to find which features are important for the organization of the data.

• No outcome variable.

– Just a set of predictors (features) measured on a set of samples.

• Objective is more fuzzy.

– Find groups of samples that behave similarly.

– Find features that behave similarly.

– Find linear combinations of features with the most variation.

• Difficult to know how well you are doing.

• Different from supervised learning, but can be useful as a pre-processing step for supervised learning.

Overview of Statistical Learning

Take data collected on Sales verses TV, Radio, and Newspaper adds. Typically it would like to be known therelationship between Sales and each of the marketing methods, or their joint relationship. Knowing how they worktogether would be very beneficial. This can be thought of as wanting to model Sales as a function of TV, Radio,and Newspaper.

Sales ≈ 𝑓(TV, Radio, Newspaper)

• The outcome measurement, or response is referred to as 𝑌 .

– Sales

• A feature, input, or Predictor, is referred to as 𝑋𝑛.

– TV = 𝑋1

– Radio = 𝑋2

– Newspaper = 𝑋3



The vector can also be referred to collectively as a column vector:

𝑋 =

⎛⎝𝑋1

𝑋2

𝑋3

⎞⎠The model is constructed as:

‘𝑌 = 𝑓(𝑋) + 𝜖‘, 𝑤ℎ𝑒𝑟𝑒

epsilon 𝜖 captures measurement errors and other discrepancies. The error is a catchall because the model will nevercapture 𝑋 perfectly. With a good model the following are some things that can be achieved:

• A good 𝑓 allows for predictions of 𝑌 at new points 𝑋 = 𝑥.

• It is possible to determine which elements of the vector 𝑋 = (𝑋1, 𝑋2, ..., 𝑋𝑝) are important to explaining 𝑌and which are irrelevant.

– Seniority and Years of Education have a large impact on Income, but Marital Statusdoes not.

• Depending on the complexity of 𝑓 , it may be possible to understand how each component 𝑋𝑗 of 𝑋 affects 𝑌 .

Introduction to Regression Models

One good value for 𝑓(𝑋), considering population data, is the average value based on the data:

𝑓(𝑥) = 𝐸(𝑌 | 𝑋 = 𝑥)

Note: 𝐸(𝑌 | 𝑋 = 𝑥) means expected value or average of 𝑌 given 𝑋 = 𝑥.

In this case only one value may be delivered back for 𝑌 for each value of 𝑋 . The ideal 𝑓(𝑥) = 𝐸(𝑌 �̄� = 𝑥) is calledthe regression function. To draw the regression function simply iterate through each value for 𝑋 , average each 𝑌 atthat value, and draw a line using the output average values.

The regression function:

• Is also defined for a vector 𝑋:

𝑓(𝑥) = 𝑓(𝑥1, 𝑥2, 𝑥3) = 𝐸(𝑌 | 𝑋1 = 𝑥1, 𝑋2 = 𝑥2, 𝑋3 = 𝑥3)

• Is the ideal or optimal predictor of 𝑌 with regard to mean-squared prediction error.

– 𝑓(𝑥) = 𝐸(𝑌 | 𝑋 = 𝑥) is the function that minimizes 𝐸[(𝑌 − 𝑔(𝑋))2 | 𝑋 = 𝑥] over all functions 𝑔at all points 𝑋 = 𝑥.

– More plainly it will reduce the number of sum of squared errors.

– Minimizes prediction errors.

• 𝜖 = 𝑌 − 𝑓(𝑥) is the irreducible error.

– Even if we knew 𝑓(𝑥), we would still make errors in prediction.

– At each 𝑋 = 𝑥 there is typically a distribution of possible 𝑌 values.

• For any estimate 𝑓(𝑥) of 𝑓(𝑥), we have:



𝐸[(𝑌 − 𝑓(𝑋))2 | 𝑋 = 𝑥] = [𝑓(𝑥) − 𝑓(𝑥)]2⏟ ⏞ Reducible

+ Var(𝜖)⏟ ⏞ Irreducible

The var hat notation in 𝑓(𝑥) for example signifies that it is an estimation from data. The squared prediction error at𝑋 can be expanded into two pieces, the reducible error which is the variance of the errors and the irreducible which isthe difference between the estimate 𝑓(𝑥) and the true function 𝑓(𝑥). The irreducible error also referred to as epsilon(𝜖). If the function needs to be improved it is the first, reducible, part that can be improved by changing the way that𝑓(𝑥) is estimated.

When estimating the function 𝑓 there will typically exist some data points with exact values like 𝑋 = 4 for example.In these cases 𝐸(𝑌 | 𝑋 = 𝑥) can not be computed! This can be solved simply by relaxing the definition to:

𝑓(𝑥) = Ave(𝑌 | 𝑋 ∈ 𝒩 (𝑥))

Where 𝒩 (𝑥) is some neighborhood of 𝑥. It keeps the spirit of conditional expectation, it is close to the target point 𝑋 ,and if the neighborhood is made wide enough there will be enough points to average. This is called nearest neighborsor local averaging.

As the neighborhood is slid across the 𝑥 axis calculating the averages it will trace the regression function curve. It willnot be perfect because the neighborhood introduces some amount of error. Unfortunately this does not always workespecially as the dimensions get larger.

Dimensionality and Structured Models

The nearest neighbor method works for small 𝑝 such as 𝑝 ≤ 4 and large 𝑁 . They can be a total failure when 𝑝 is large,this is because of the curse of dimensionality.

• We need to get a reasonable fraction of the 𝑁 values of 𝑦𝑖 to average in order to bring down the variance ≈ 10%.

– Simply there must be more than one point in each neighborhood so the estimate has a small variance.

• A 10% neighborhood in high dimensions need no longer be local, so we lose the spirit of estimating 𝐸(𝑌 |𝑋 = 𝑥) by local averaging.

Note: The dimensionality is referring to the number of dimensions used to create the neighborhood. So far we haveconsidered creating a one dimensional neighborhood, which is created by using two seperate 𝑋 values by spreadingthem out equidistantly from 𝑥. A two dimensional neighborhood would a circle with the radius being the neighborhoodsize.

To deal with the problem parametric and structured models are used. The linear model is an important example of aparametric model.

𝑓𝐿(𝑋) = 𝛽0 + 𝛽1𝑋1 + 𝛽2𝑋2 + ... 𝛽𝑝𝑋𝑝

• A linear model is specified in terms of 𝑝 + 1 parameters.

– 𝛽0, 𝛽1, ..., 𝛽𝑝

• The parameters are estimated by fitting the model to the training data.

• Although it is almost never correct, a linear model often serves as a good and interpretable approximation to theunknown true function 𝑓(𝑋).

• Avoids the curse of dimensionality.

There are other versions for such cases including kernel and spline smoothing. Smoothers are an entire class oftechniques. There are some trade-offs when building models though:



• Prediction accuracy versus interpretability.

– Linear models are easy to interpret.

* Just a few parameters.

– thin-plate splines are not.

* Give a surface back, a surface in ten dimensions can be hard to interpret.

• Overfitting verses underfitting.

– Must be able to tell when the fit is right.

• Parsimony versus black-box.

– Often it is preferred to have a simpler model involving fewer variables over a black-box predictor involvingall of them.

Interpretability verses Flexibility of models:

• High Interpretability & low Flexibility

– Subset Selection

– Lasso

• High/Medium Interpretability & Flexibility

– Least Squares

• Medium Interpretability & Flexibility

– Generalized Additive Models

– Trees

• Low Interpretability & High Flexibility

– Bagging

– Boosting

– Support Vector Machines

Model Selection and Bias-Variance Tradeoff

Choosing between the different methods available when the dimensions are high and when linearity doesn’t work.

Classification

Introduction to R

1.9.2 Glossary


Classification Problem A case of the supervised learning problem where the outcome measurement takes valuesfrom a finite unordered set. For example (survived/died, digit 0-9, cancer class of tissue sample).

Curse of Dimensionality Nearest neighbors tend to be far away in high dimensions.

Machine Learning The study of algorithms that can learn and make predictions from data.



Neighborhood A neighborhood of 𝑥 is a neighborhood of points defined in some way around the target point.

Neural Network, Neural Networks A subfield of machine learning whoes algorithm models are inspired by bio-logical neural networks.

Regression Function Returns the conditional expectation of 𝑌 given 𝑋 at each value of 𝑋 .

Regression Problem A case of the supervised learning problem where the outcome measurement is quantitative, forexample blood pressure or price.

Statistical Learning A subfield or framework of machine learning whoes models are inspired from the fields ofstatistics and functional analysis.

1.10 Computer Science Mathematics

1.10.1 Introduction to Linear Algebra


Math is about love, and sometimes love dosen’t make sense.

—Anonymous

Notation

Vectors are normally represented using the following notation:

�⃗� = (5, 0) =

(︂50

)︂The arrow above the variable signifying that it is a vector and the first value of the tuple, 5, signifying its magnitude inthe 𝑥 direction and the second value 0 signifying its magnitude in the 𝑦 direction. Another possible notation is columnvector form which is represented by the second equality.

Note: There is no positional information given, two vectors in different possitions with the same magnitude anddirection are considered equivalent.

Another important notation is R2 which refers to the two dimensional real coordinate space. This is just the coordinatespace represented by the standard two dimensional coordinate plane. It consists of all possible real valued 2-tuples.R3 would be all the real valued 3-tuples and so on. For the purpose of generalized equations R𝑛 is frequently seen.

Adding Vectors

Adding two vectors graphically can be done by graphing the vectors that are being added. After graphing the firstvector, graph the second vector starting from the head of the first vector and so on.

�⃗�, �⃗� ∈ R2

�⃗� =

(︂6−2

)︂, �⃗� =

(︂−44

)︂

�⃗� + �⃗� =

(︂22

)︂



1.10.2 Introduction to Discrete Mathematics


“The want of logic annoys. Too much logic bores. Life eludes logic, and everything that logic aloneconstructs remains artificial and forced.”

—Edward Wong Hau Pepelu Tivrusky IV (Radical Edward)

Discrete Systems

Most often in Computer Science discrete structures are being used versus continuous. Although one notable exceptionI can think of is with Haskell where it is possible to define infinite structures.

Consider the discrete system of a map of cities, and we define a path between the cities. The path can be representedas a vector (A,B,C,D,E,F) which is a discrete object. The cities themselves are discrete objects and the paths arealso discrete objects.

It would be possible to create another path such as (D,A,C,B,E,F) which is also a discrete object but made up of

1.10. Computer Science Mathematics 179


the exact same group of cities. It is also of note here that the reverse of the vector creates the same exact path betweenthe cities. In this particular case both (A,B,C,D,E,F) and (F,E,D,C,B,A) are the same discrete object just as(D,A,C,B,E,F) and (F,E,B,C,A,D) are.

Example of problems that discrete mathematics is used to solve:

• How many ways are there to choose a valid (alpha numeric) password?

• What is the probability of winning a lottery?

• Is there a link between two computers in a network?

• How can I identify spam e-mail messages?

• What is the shortest path between two cities using a transportation system?

• How can a list of integers be sorted so that the integers are in increasing order?

• How many steps are required to do such a sorting?

• How can it be proved that a sorting algorithm correctly sorts a list?

• How many valid Internet addresses are there?



Propositions

A statement that has a truth value, for example:

• Every man is mortal.

• Socrates is a man.

• Socrates is mortal.

• 1 + 1 = 2

• 1 × 1 = 2

Things that are not propositions include:

• Imperative sentences (commands).

– Go away Socrates.

• Questions.

– Is every being mortal?

• Variable equations.

– 𝑥 + 1 = 2

Propositional Logic

When constructing propositions variables can be used such as 𝑝, 𝑞, 𝑟, 𝑠, ... and a common convention is for theproposition that is always true to be denoted with a 𝑡 and the proposition that is always false to be denoted by 𝑓 .Compound propositions are constructed using logical connectives and other propositions:

• Negation: ¬

– “Not”

• Conjunction: ∧

– “And”

• Disjunction: ∨

– Inclusive “or”

– Exclusive “or”

• Implication: →

– “If 𝑝 then 𝑞“

– “if 𝑝, 𝑞“

– “𝑞 unless ¬𝑝“

– etc.

• Biconditional: ↔

– “𝑝 if and only if 𝑞“

– 𝑝 iff 𝑞



Important: The validity of a propositional argument has nothing to do with its truth value but only the logicalstructure. A proposition is a valid proposition or not depends on if it can be assigned a truth value, but does not dependon the truth value. Validity is completely independent of truth.

There also exist special forms of proposition, for the natural language examples the sentence “If it rains, then I am notgoing to town.”:

• Converse

– 𝑞 → 𝑝 is the converse of 𝑝 → 𝑞

– If I do not go to town, then it is raining.

• Contrapositive

– ¬𝑞 → ¬𝑞 is the contrapositive of 𝑝 → 𝑞

– If it is not raining, then I will go to town.

• Inverse

– ¬𝑝 → ¬𝑞 is the converse of 𝑝 → 𝑞

– If I go to town, then it is not raining.

Precedence of Logical Operators

Like in mathematics there is an order of operations. Parentheses can be used to change the order of operation, and ifunsure of the order they can be used verbosely.

Operator Precedence¬ 1∧ 2∨ 3→ 4↔ 5

Compound Propositional Statements

Example of a truth table for compound propositions:

𝑝 𝑞 𝑟 ¬𝑟 𝑝 ∨ 𝑞 𝑝 ∨ 𝑞 → ¬𝑟t t t f t ft t f t t tt f t f t ft f f t t tf t t f t ff t f t t tf f t f f tf f f t f t

Two propositions are equivalent if they have the same exact truth table. A truth table with 𝑛 propositional variables has2𝑛 rows. Therefore with 𝑛 propositional variables it is possible to construct 2𝑛 distinct (not equivalent) propositions.

Steps to convert an English sentence to a statement in propositional logic:

• Identify atomic propositions and represent them using variables.



• Determine the appropriate logical connectives (and, or, etc.).

Propositional Equivalencies

• Tautologies, Contradictions, and Contingencies.

• Logical Equivalence

– Important Logical Equivalences

* Identity Laws

· 𝑝 ∧ 𝑇 ≡ 𝑝

· 𝑝 ∨ 𝐹 ≡ 𝑝

* Domination Laws

· 𝑝 ∨ 𝑇 ≡ 𝑇

· 𝑝 ∧ 𝐹 ≡ 𝐹

* Idempotent Laws

· 𝑝 ∨ 𝑝 ≡ 𝑝

· 𝑝 ∧ 𝑝 ≡ 𝑝

* Double Negation Law

· ¬(¬𝑝) ≡ 𝑝

* Negation Laws

· 𝑝 ∧ ¬𝑝 ≡ 𝑇

· 𝑝 ∧ ¬𝑝 ≡ 𝐹

* Commutative Laws

· 𝑝 ∨ 𝑞 ≡ 𝑞 ∨ 𝑝

· 𝑝 ∧ 𝑞 ≡ 𝑞 ∧ 𝑝

* Assoviative Laws

· (𝑝 ∧ 𝑞) ∧ 𝑟 ≡ 𝑝 ∧ (𝑞 ∧ 𝑟)

· (𝑝 ∨ 𝑞) ∨ 𝑟 ≡ 𝑝 ∨ (𝑞 ∨ 𝑟)

* Distributive Laws

· 𝑝 ∨ (𝑞 ∧ 𝑟) ≡ (𝑝 ∨ 𝑞) ∧ (𝑝 ∨ 𝑟)

· 𝑝 ∧ (𝑞 ∨ 𝑟) ≡ (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟)

* Absorption Laws

· 𝑝 ∨ (𝑝 ∧ 𝑞) ≡ 𝑝

· 𝑝 ∧ (𝑝 ∨ 𝑞) ≡ 𝑝

* De Morgan’s Laws

· ¬(𝑝 ∧ 𝑞) ≡ ¬𝑝 ∨ ¬𝑞

· ¬(𝑝 ∨ 𝑞) ≡ ¬𝑝 ∧ ¬𝑞

– Showing Logical Equivalence



• Normal Forms

– Disjunctive Normal Form

* Important for some circuit design methods.

– Conjunctive Normal Form

* Important in resolution theorem proving, used in artificial Intelligence.

* Every proposition can be put in conjunctive normal form.

* Eliminate implications, move negation inwards, use distributive and associative laws.

• Propositional Satisfiability

• Propositional Unsatisfiability

Expressions can be shown to be logically equivalent by developing identical expressions using the laws of equivalencyto manipulate the expression though some number, 𝑛, of transformations.

𝐴 ≡ 𝐴1 ≡ 𝐴2 ≡ ... ≡ 𝐴𝑛

De Morgan’s Laws A method to convert the form of one proposition to a logicaly equivalent one.

The negation of a conjunction is equivalent to the disjunction of negations and The negation of a disjunction is equiv-alent to the conjunction of negations.

• ¬(𝑝 ∧ 𝑞) ≡ ¬𝑝 ∨ ¬𝑞

• ¬(𝑝 ∨ 𝑞) ≡ ¬𝑝 ∧ ¬𝑞

𝑝 𝑞 ¬𝑝 ¬𝑞 𝑝 ∨ 𝑞 ¬(𝑝 ∨ 𝑞) ¬𝑝 ∧ ¬𝑞t t f f t f ft f f t t f ff t t f t f ff f t t f t t

Unnamed Logical Equivalencies

Conditional Statement Equivalence𝑝 → 𝑞 ¬𝑝 ∨ 𝑞𝑝 → 𝑞 ¬𝑞 → ¬𝑝¬𝑝 → 𝑞 𝑝 ∨ 𝑞¬(𝑝 → ¬𝑞) 𝑝 ∧ 𝑞¬(𝑝 → 𝑞) 𝑝 ∧ ¬𝑞(𝑝 → 𝑞) ∧ (𝑝 → 𝑟) 𝑝 → (𝑞 ∧ 𝑟)(𝑝 → 𝑟) ∧ (𝑞 → 𝑟) (𝑝 ∨ 𝑞) → 𝑟(𝑝 → 𝑞) ∨ (𝑝 → 𝑟) 𝑝 → (𝑞 ∨ 𝑟)(𝑝 → 𝑟) ∨ (𝑞 → 𝑟) (𝑝 ∧ 𝑞) → 𝑟

Biconditional Statement Equivalence𝑝 ↔ 𝑞 (𝑝 → 𝑞) ∧ (𝑞 → 𝑝)𝑝 ↔ 𝑞 ¬𝑝 ↔ ¬𝑞𝑝 ↔ 𝑞 (𝑝 ∧ 𝑞) ∨ (¬𝑝 ∧ ¬𝑞)¬(𝑝 ↔ 𝑞) 𝑝 ↔ ¬𝑞

Applications

Some applications include system specifications and logic circuits.



System Specifications Systems Engineers take requirements in English and express them in a specification languagebased on logic. For example “The automated reply cannot be sent when the file system is full.”:

let 𝑝 = The automated reply can be sent

let 𝑞 = The file system is full

𝑞 → ¬𝑝

This type of approach grants consistent system specifications. For example consider the following statements whichmight be selected as a system specification:

• The diagnostic message is stored in the buffer or it is retransmitted

• The diagnostic message is not stored in the buffer

• If the diagnostic message is stored in the buffer, then it is retransmitted

let 𝑝 = The diagnostic message is stored in the buffer

let 𝑞 = The diagnostic message is retransmitted

Construct truth tables for each statement:

• The diagnostic message is stored in the buffer or it is retransmitted

𝑝 𝑞 𝑝 ∨ 𝑞t t tt f tf t tf f f

• The diagnostic message is not stored in the buffer

𝑝 ¬𝑝t ff t

• If the diagnostic message is stored in the buffer, then it is retransmitted

𝑝 𝑞 𝑝 → 𝑞t t tt f ff t tf f t

The entire system is consistent as long as there exists a way to assign a truth value to the propositions that allows eachof the compound propositions that make up the system specification to be true. Here when 𝑝 is false and 𝑞 is true allthree are true. The system is consistent. Now another system specification is added:

• The diagnostic message is not retransmitted

𝑞 ¬𝑞t ff t

Now when 𝑞 is true it breaks the consistency of the system because one of the propositions is now false. The systemis now inconsistent and has contradictory propositions.



Logic Circuits Digital electronic circuit outputs can be interpreted as 1’s or 0’s. Generally 0 is interpreted as Falseand 1 is True. More complicated circuits can be constructed from simpler ones just like more complicated compoundpropositional statements in English can be constructed from simpler ones. More complicated circuits are generallyconstructed using only AND, OR, and NOT gates.

This can be used to build electrical system diagrams and reason about systems.

Artificial Intelligence Knowledge bases have been a research effort for a long time and store propositional state-ments as knowledge.

Compiler Optimizations For example logic identities can be used to short circuit conditional statements.

Notation

∨𝑛𝑗=1 𝑝𝑗 = 𝑝1 ∨ 𝑝2 ∨ ... ∨ 𝑝𝑛

∧𝑛𝑗=1 𝑝𝑗 = 𝑝1 ∧ 𝑝2 ∧ ... ∧ 𝑝𝑛

1.10.3 Logic


“Something Profound”

—someone cool

Predicates and Quantifiers

Propositional logic is not enough, consider the propositions “All men are mortal” and “Socrates is a man”, it clearlyfollows that “Socrates is mortal” but this cannot be represented using just propositional logic. A language is neededto formally talk about objects, their properties, their relations and to draw inferences. The solution is an extension ofpropositional logic to predicate logic.Predicate logic adds:

• Variables: 𝑥, 𝑦, 𝑧

• Predicates: 𝑃 (𝑥), 𝑀(𝑥)

• Quantifiers

Propositional Functions

Propositional functions are a generalization of propositions and they contain variables and predicates for example𝑃 (𝑥). The variables can be replaced with elements from their domain. Once their variable is replaced by a valueeither from the domain or bound by a quantifier they become propositions and therefore have a truth value. Often thedomain is denoted the same as an Universe in statistics and probability with 𝑈 For example:

• Let 𝑃 (𝑥) denote 𝑥 > 0

– 𝑃 (−3) is False

– 𝑃 (0) is False

– 𝑃 (3) is True



– 𝑃 (3) ∨ 𝑃 (−1) is True

– 𝑃 (3) ∧ 𝑃 (−1) is False

– 𝑃 (3) → 𝑃 (−1) is False

Quantifiers

Expressions with variables are not propositions and do not have truth values. When used with quantifiers expressions,or propositional functions become propositions with a truth value. Quantifiers are used to express the meaning of thewords all and some and define the set that the propositional function is applied to. The quantifiers are said to bind thevariable. The quantifiers also have higher precedence than all the logical operators.

Note that the truth value of propositional functions with a quantifier depend both on the propositional function and thedomain 𝑈 .

• ∀ which reads “for all” and represents the word all.

– ∀𝑥𝑃 (𝑥) asserts that the function is true for all 𝑥.

– Reads: “For all 𝑥, 𝑃 of 𝑥.”

– Example: “All men are mortal.”

– Let 𝑃 (𝑥) denote 𝑥 > 0.

* If 𝑈 = {𝑥|𝑥 ∈ Z}, then ∀𝑥𝑃 (𝑥) is False.

* If 𝑈 = {𝑥|𝑥 ∈ N1}, then ∀𝑥𝑃 (𝑥) is True.

– Let 𝑃 (𝑥) denote 𝑥 mod 2 = 0.

* If 𝑈 = {𝑥|𝑥 ∈ Z}, then ∀𝑥𝑃 (𝑥) is False.

• ∃ wich reads “exists” and represents the word some.

– ∃𝑥𝑃 (𝑥) asserts that the function is true for some (at least one, not 0) 𝑥.

– Reads: “For some 𝑥, 𝑃 of 𝑥.”

– Example: “Some men are mortal.”


* If 𝑈 = {𝑥|𝑥 ∈ Z}, then ∃𝑥𝑃 (𝑥) is True.

– Let 𝑃 (𝑥) denote 𝑥 < 0.

* If 𝑈 = {𝑥|𝑥 ∈ N1}, then ∃𝑥𝑃 (𝑥) is False.

– Let 𝑃 (𝑥) denote 𝑥 mod 2 = 0.

* If 𝑈 = {𝑥|𝑥 ∈ Z}, then ∃𝑥𝑃 (𝑥) is True.

• ∃! is a Uniqueness Quantifier and asserts that 𝑃 (𝑥) is true for one and only one 𝑥 in the universe of discourse. In English this may look like “There is a unique 𝑥 such that 𝑃 (𝑥).

– Let 𝑃 (𝑥) denote 𝑥 + 1 = 0.

* If 𝑈 = {𝑥|𝑥 ∈ Z}, then ∃!𝑥𝑃 (𝑥) is True.


* If 𝑈 = {𝑥|𝑥 ∈ Z}, then ∃!𝑥𝑃 (𝑥) is False.

– Can also be expressed in a much more complicated way.



* ∃!𝑥𝑃 (𝑥) = ∃(𝑥𝑃 (𝑥) ∧ ∀𝑦(𝑃 (𝑦) → 𝑦 = 𝑥))

Translating from a natural language to logic can be very messy. Because natural languages can be ambiguous aboutthe set of people that they are being represented. The different possible sets that create the domain 𝑈 can change thetruth value of the propositional statement.

Converting the statements “All men are mortal” and “Socrates is a man” to use this notation:

• Let: 𝑀𝑎𝑛(𝑥) denote that 𝑥 is a man.

• Let: 𝑀𝑜𝑟𝑡𝑎𝑙(𝑥) denote that 𝑥 is mortal.

• Let: 𝑈 be the set of all people.

• Propositions: “All men are mortal” and “Socrates is a man.”

– ∀𝑥𝑀𝑎𝑛(𝑥) → 𝑀𝑜𝑟𝑡𝑎𝑙(𝑥)

– 𝑀𝑎𝑛(𝑆𝑜𝑐𝑟𝑎𝑡𝑒𝑠)

• Conclusion: “Socrates is mortal”

– 𝑀𝑜𝑟𝑡𝑎𝑙(𝑆𝑜𝑐𝑟𝑎𝑡𝑒𝑠)

Statements involving predicates and quantifiers are considered logically equivalent if and only if they have the sametruth value for every predicate for the statement and for every domain. There are two ways to think about quantifiers,either as a loop over all elements in the universe or like the following:

• If 𝑈 consists of the integers 1, 2, 3

– ∀𝑥𝑃 (𝑥) ≡ 𝑃 (1) ∧ 𝑃 (2) ∧ 𝑃 (3)

– ∃𝑥𝑃 (𝑥) ≡ 𝑃 (1) ∨ 𝑃 (2) ∨ 𝑃 (3)

Important: De Morgan’s Laws for Quantifiers.

• Rules for negating quantifiers

– ¬∀𝑥𝑃 (𝑥) ≡ ∃𝑥¬𝑃 (𝑥)

– ¬∃𝑥𝑃 (𝑥) ≡ ∀𝑥¬𝑃 (𝑥)

System Specification

One application of predicate logic is for specifying properties that systems must satisfy. For example consider thefollowing system properties.

• Every mail message larger than one megabyte will be compressed.

• If a user if active, at least one network link will be available.

Natural language is terrible for system specification, it is very possible for natural language constructs to be interpreteddifferently by many people. This can lead to disaster for a technical system. Once the specification is in a formallanguage tools can be used to reason about the system and check the consistency of it. So explicitly declare thepredicates and domains for the variables.

• Let: 𝐿(𝑚, 𝑦) be “Mail message 𝑚 is larger than 𝑦 megabytes.”

• Let: 𝐶(𝑚) be “Mail message 𝑚 will be compressed.”

• Let: 𝐴(𝑢) be “User 𝑢 is active.”

• Let: 𝑆(𝑛, 𝑥) be “Network link 𝑛 is state 𝑥.”



• Translations:

– ∀𝑚(𝐿(𝑚, 1) → 𝐶(𝑚))

– ∃𝑢𝐴(𝑢) → ∃𝑛𝑆(𝑛, 𝑎𝑣𝑎𝑖𝑙𝑎𝑏𝑙𝑒))

Note: Lojban is a constructed language designed specifically to be unambiguous, and is sometimes refered to as aspeakable logic. It can be shown to translate into predicate logic, and there are also analogies between Lojban andcombinatory logic. It has no irregularities or ambiguities in spelling or grammar. Such a languge would be much moresuited for science.

Predicate Calculus

• To be valid an assertion involving predicates:

– Must be true for all domains.

– Must be true for every propositional function substituted for the predicates in the assertion.

• To be satisfiable an assertion involving predicates:

– Must be true for some domains.

– Must be true for some propositional functions that can be substituted for the predicates in the asser-tion.

Caution: Again validity is not related to truth itself but the possibility of the logical structure of a system havingthe possibility to give rise to truth. It is possible to construct an argument formaly in a way where if the predicatesare true, then the conclusion is true. It is also possible to do the opposite, and be somewhere inbetween. Thoseareas are what valid, satisfiable, and unsatisfiable are classifying.

Logic Programming

Prolog (Programming in Logic) is a logical programming language developed in the 1970’s by AI researchers. Prologprograms include Prolog facts and Prolog rules. The hope was a revolution in AI, to some degree it happened but itdid not meet expectations. One problem is that as the number of premises increased the number of conclusions grewexponentially.

instructor(chan, math273)instructor(patel, ee222)instructor(grossman, cs301)enrolled(kevin, math273)enrolled(juana, ee222)enrolled(juana, cs301)enrolled(kiko, math273)enrolled(kiko, cs301)

Here the predicates instructor(p,c) and enrolled(s,c) represent that professor p is the instructor of coursec and the student s is enrolled in course c. Names beginning with upper case are variables and if there is a predicateteachers(p,s) representing “professor teaches student s,” we can write this rule:

teaches(P,S) :- instructor(P,C), enrolled(S,C).



This rule can be viewed as an equivalent to the following logic statement:

∀𝑝 ∀𝑐∀𝑠(𝐼(𝑝, 𝑐) ∧ 𝐸(𝑠, 𝑐)) → 𝑇 (𝑝, 𝑠)

Generally now proof assistance is used, where known facts are expressed as logical statements, but it is not left tothe computer to decide what is important and what isn’t. For example using a number of intermediate statements andfiltering it manually.

Nested Quantifiers

Nested Quantifiers are frequently used in translation of English as well as to express concepts of computer science andmathematics. For example:

• Let: 𝑈 = {𝑥|𝑥 ∈ R}

• “Every real number has an inverse”

– ∀𝑥∃𝑦(𝑥 + 𝑦 = 0)

This can also be represented with nested propositional functions where ∀𝑥∃𝑦(𝑥 + 𝑦 = 0) can be viewed as ∀𝑥𝑄(𝑥)where 𝑄(𝑥) is ∃𝑦𝑃 (𝑥, 𝑦) where 𝑃 (𝑥, 𝑦) is (𝑥+𝑦 = 0). Just as when with quantifiers when we say ∀ it can be thoughtof looping through all possible cases in the universe, nested quantifiers can be thought of as nested loops.

• To check if ∀𝑥∀𝑦𝑃 (𝑥, 𝑦) is True, loop through all 𝑥 values.

– At each 𝑥, loop through all 𝑦 values.

– If for some (𝑥, 𝑦) values 𝑃 (𝑥, 𝑦) is False, the statement is False and both loops terminate.

• To see if ∀𝑥∃𝑦𝑃 (𝑥, 𝑦) is Ture, loop through all 𝑥 values.

– At each 𝑥, loop through all 𝑦 values.

– If for some (𝑥, 𝑦) values 𝑃 (𝑥, 𝑦) is True, the statement is True and the inner loop terminates.

– If no 𝑦 is found such that 𝑃 (𝑥, 𝑦) is true and the outer loop terminates and the statement is False.

Note: If the domain of a variable is infinite this will be an infinite loop and cannot be done.

Order of quantifiers may or may not change the statement, consider:

• Let: 𝑃 (𝑥, 𝑦) be the statement 𝑥 + 𝑦 = 𝑦 + 𝑥

• Let: 𝑈 = {𝑥|𝑥 ∈ R}

– Then: ∀𝑥∀𝑦𝑃 (𝑥, 𝑦) ≡ ∀𝑦∀𝑥𝑃 (𝑥, 𝑦)

• Let: 𝑃 (𝑥, 𝑦) be the statement 𝑥 + 𝑦 = 0

• Let: 𝑈 = {𝑥|𝑥 ∈ R}

– Then: ∀𝑥∃𝑦𝑃 (𝑥, 𝑦) ̸≡ ∃𝑦∀𝑥𝑃 (𝑥, 𝑦)



Quantifications with Two VariablesStatement When True When False∀𝑥∀𝑦𝑃 (𝑥, 𝑦)

𝑃 (𝑥, 𝑦) is true for every pair (𝑥, 𝑦) There is a pair (𝑥, 𝑦) for which 𝑃 (𝑥, 𝑦) is false.∀𝑦∀𝑥𝑃 (𝑥, 𝑦)∀𝑥∃𝑦𝑃 (𝑥, 𝑦) For every 𝑥 there is a 𝑦 for which 𝑃 (𝑥, 𝑦) is

true.There is an 𝑥 such that 𝑃 (𝑥, 𝑦) is false forevery 𝑦.

∃𝑥∀𝑦𝑃 (𝑥, 𝑦) There is an 𝑥 for which 𝑃 (𝑥, 𝑦) is true forevery 𝑦.

For every 𝑥 there is a 𝑦 for which 𝑃 (𝑥, 𝑦) isfalse.

∃𝑥∃𝑦𝑃 (𝑥, 𝑦) There is a pair (𝑥, 𝑦)for which 𝑃 (𝑥, 𝑦) istrue.

𝑃 (𝑥, 𝑦) is false for every pair (𝑥, 𝑦).∃𝑦∃𝑥𝑃 (𝑥, 𝑦)

Negating Nested Quantifiers Just systematically apply De Morgan’s Laws:

∃𝑤∀𝑎∃𝑓(𝑃 (𝑤, 𝑓) ∧𝑄(𝑓, 𝑎))

1. Use quantifiers to express the statement “There does not exist a woman who has taken a flight on every airlinein the world.”

¬∃𝑤∀𝑎∃𝑓(𝑃 (𝑤, 𝑓) ∧𝑄(𝑓, 𝑎))

2. Use De Morgan’s Laws to move the negation as far inward as possible.

¬∃𝑤∀𝑎∃𝑓(𝑃 (𝑤, 𝑓) ∧𝑄(𝑓, 𝑎))

∀𝑤¬∀𝑎∃𝑓(𝑃 (𝑤, 𝑓) ∧𝑄(𝑓, 𝑎)) by De Morgan’s for ∃∀𝑤∃𝑎¬∃𝑓(𝑃 (𝑤, 𝑓) ∧𝑄(𝑓, 𝑎)) by De Morgan’s for ∀∀𝑤∃𝑎∀𝑓¬(𝑃 (𝑤, 𝑓) ∧𝑄(𝑓, 𝑎)) by De Morgan’s for ∃∀𝑤∃𝑎∀𝑓(¬𝑃 (𝑤, 𝑓) ∨ ¬𝑄(𝑓, 𝑎)) by De Morgan’s for ∧

3. Translate to english.

• For every woman there is an airline such that for all flights, this woman has not taken that flight or thatflight is not on this airline.

Translating mathematical statements into predicate logic:

• Translate: “The sum of two positive integers is always positive”

• Rewrite the statement to make the implied quantifiers and domains explicit.

– “For every two integers, if the integers are both positive, then the sum of the integers is positive.”

• Introduce variables, and specify the domain.

– “For all positive integers 𝑥 and 𝑦, 𝑥 + 𝑦 is positive.”

• Result:

– Let: 𝑈 = {𝑥|𝑥 ∈ Z}

– ∀𝑥∀𝑦((𝑥 > 0) ∧ (𝑦 > 0) → (𝑥 + 𝑦 > 0))



Calculus in logic Using quantifiers to express the definition of the limit of a real-valued function 𝑓(𝑥) of a realvariable 𝑥 at a point 𝑎 in its domain.

Note: Recall the limit deffinition:

lim𝑥→𝑎

𝑓(𝑥) = 𝐿

Is defined for:

∀ 𝜖 > 0 ∃ R : |𝑓(𝑥) − 𝐿| < 𝜖 ∀ 0 < |𝑥− 𝑎| < 𝛿

• Let 𝑈𝜖 = {𝑥|𝑥 ∈ R ∧ 𝑥 > 0}

• Let 𝑈𝛿 = {𝑥|𝑥 ∈ R ∧ 𝑥 > 0}

• Let 𝑈𝑥 = {𝑥|𝑥 ∈ R}

– ∀𝜖∃𝛿∀𝑥(0 < |𝑥− 𝑎| < 𝛿 → |𝑓(𝑥) − 𝐿| < 𝜖)

1.10.4 Proofs


“The theorem can be likened to a pearl, and the method of proof to an oyster. The pearl is prized for itsluster and simplicity; the oyster is a complex living beast whose innards give rise to this mysteriouslysimple gem.”

—Douglas R. Hofstadter

Introduction

It is not always possible to check every value in a universe but it is possible to reason about the properties of theset. Reasoning about things in such a way it is possible to develop a proof that is a means to establish a fact aboutsomething that is unobtainable by means of checking every value in the universe.

Informal proofs:

• More than one rule of inference used per step.

• Steps are skipped.

• Rules of inference not stated explicitly.

• Easier to understand and explain.

• Easier to introduce errors.

Applications:

• Verification that computer programs are correct.

• Establishing that a system is secure.

• Enabling AI to make inferences.

• Showing that system specifications are consistent.

A theorem is a statement that can be shown to be true using:

• Definitions



• Other Theorems

• axioms

• Rules of inference

Terms:

• Lemma

• Corollary

• Propositions

• Conjecture

Proving Theorems

Many Theorems have the form:

∀𝑥(𝑃 (𝑥) → 𝑄(𝑥))

Proving this can be done by showing that for 𝑐 an arbitrary element in the domain 𝑃 (𝑐) → 𝑄(𝑐). By universalgeneralization of the truth of the original statement follows. So, we must prove that:

𝑝 → 𝑞

Definitions for Examples

Note: Definition

An integer 𝑛 is even if there exists an integer 𝑘 such that 𝑛 = 2𝑘, and 𝑛 is odd if there exists an integer 𝑘, such that𝑛 = 2𝑘 + 1.

Every integer is either odd or even but not both.

Note: Definition

A real number 𝑟 is rational if there exists integers 𝑝 and 𝑞 where 𝑞 ̸= 0 such that 𝑟 = 𝑝𝑞 .

Proving Conditional Statements

Methods:

• Direct Proof

• Contraposition

• Contradiction



Direct Proof For a Direct Proof , we start with what we are given and build a chain of logical steps to prove thestatement.

A proof of the theorem “If 𝑛 is an odd integer, then 𝑛2 is odd.”

1. We assume that 𝑝 is true, 𝑛 = 2𝑘 + 1.

2. Square both sides, 𝑛2 = (2𝑘 + 1)2

3. Expand: 4𝑘2 + 4𝑘 + 1

4. Factor out a two: 2(2𝑘2 + 2𝑘) + 1

5. 𝑘 is an integer, and 2 times an integer is an integer, so let 𝑟 equal the arbitrary integer that results from 2𝑘2 + 2𝑘.

6. 2𝑟 + 1 QED

The final statement 2𝑟 + 1 matches exactly the definition for an odd number.

Prove that the sum of two rational numbers is rational. This can be reworded into an implication, if 𝑝 and 𝑞 are rationalnumbers then their sum is rational. See the definition of a rational number.

1. Assume that 𝑝 is true.

• If 𝑟 and 𝑠 are rational numbers.

2. If 𝑟 and 𝑠 are rational numbers, then there must exist a way to write them as a fraction.

• Then there must exist integers 𝑝, 𝑞, 𝑡, and 𝑢 such that:

𝑟 =𝑝

𝑞, 𝑞 ̸= 0

𝑠 =𝑡

𝑢, 𝑢 ̸= 0

3. Look at the sum.

𝑟 + 𝑠 =𝑝

𝑞+

𝑡

𝑢=

𝑝𝑢 + 𝑞𝑡

𝑞𝑢=

𝑣

𝑤

Where, 𝑣 = 𝑝𝑢 + 𝑞𝑡, 𝑤 = 𝑞𝑢 ̸= 0

Proof by Contraposition Assume ¬𝑞 and show ¬𝑝 is true also. This is also called an indirect proof because showingthat ¬𝑝 → ¬𝑞 also shows that 𝑝 → 𝑞.

Prove that if 𝑛 is an integer and 3𝑛 + 2 is odd, then 𝑛 is odd.

1. Assume 𝑛 is even. So, 𝑛 = 2𝑘 for any integer 𝑘.

• 3𝑛 + 2 = 3(2𝑘) + 2

2. Simplify: 6𝑘 + 2

3. Factor out a two: 2(3𝑘 + 1)

4. Let 𝑗 = 3𝑘 + 1

5. 2𝑗 3𝑛 + 2 is even.

6. It follows that, because ¬𝑞 → ¬𝑝 is true 𝑝 → 𝑞 must hold as well. QED



See the definition of an even number.

Prove that for an integer 𝑛, if 𝑛2 is odd, then 𝑛 is odd. Use proof by contraposition. See the definition of an evennumber.

𝑛 = 2𝑘

𝑛2 = 4𝑘

𝑛2 = 2(2𝑘2)

Here it is shown that if 𝑛 is an integer, then 𝑛2 is even. Therefore by contraposition, for an integer 𝑛, if 𝑛2 is odd, 𝑛 isodd.

Proof by Contradiction Also called reductio ad absurdum meaning “reduction to absurdity”. Proof by contradictionis an indirect form of proof. The goal is to show that a statement is true by showing it is false. By showing that thedenial (contradiction) of the proposition is, as the name suggests, absurd (false) it follows that the proposition is true.

More formally, to prove 𝑞, assume ¬𝑞 and derive a contradiction such as 𝑝 ∧ ¬𝑞. If it is shown that ¬𝑝 → 𝐹 is true, itfollows that the contrapositive 𝑇 → 𝑝 also holds.

Prove that if you pick 22 days from the calendar, at least 4 must fall on the same day of the week.

1. Assume a contradiction: “No more than 3 of the 22 days fall on the same day of the week.”

2. Because there are 7 days in a week, 7 divides into 22 as 3 with a remainder of 1 therefore it is only possible topick 21 days.

3. This contradicts the statement that we have picked 22 days. QED

Prove that√

2 is irrational, use proof by contradiction.

∃𝑎, 𝑏⃒⃒⃒√

2 =𝑎

𝑏, 𝑏 ̸= 0, 𝑎 ⊥ 𝑏

2 =𝑎2

𝑏2

2𝑏2 = 𝑎2

𝑎2 mod 2 = 0

2𝑏2 = 4𝑐2

𝑏2 = 2𝑐2

𝑏2 mod 2 = 0

1 + 1 = 2

1 + 1 = 21 + 1 + 1 = 2

1.10.5 Glossary


axiom, axioms A statement so simple or well established that it is accepted without question.



Biconditional The biconditinal of a proposition 𝑝 and 𝑞 is denoted by 𝑝 ↔ 𝑞. it is often denoted in language by “𝑝 ifand only if 𝑞” and has the truth table:

𝑝 𝑞 𝑝 ↔ 𝑞t t tt f ff t ff f t

Conjecture, Conjectures A statement that is being proposed to be true. Once a proof of a conjecture is found, itbecomes a theorem. It may be either true or false.

Conjunction The conjunction of a proposition 𝑝 and 𝑞 is denoted by 𝑝 ∧ 𝑞. it is often denoted in language by “and”and has the truth table:

𝑝 𝑞 𝑝 ∧ 𝑞t t tt f ff t ff f f

Conjunctive Normal Form, Conjunctive Normal Forms A propositional formula is in conjunctive normal form ifit consists of a conjunction of (1, 2, ..., 𝑛) conjuncts such that each consists of a disjunction of (1, 2, ..., 𝑚)atomic formulas or the negation of an atomic formula. Or simply the conjunctin of disjunctions.

Every proposition can be put in conjunctive normal form.

Consistent System Specifications A list of propositions is consistent if it is possible to assign truth values to theproposition variables so that each proposition is true.

Contingency, Contingencies A proposition which is neither a tautology nor a contradiction, such as 𝑝.

Contradiction, Contradictions A proposition which is always false for example 𝑝 ∧ ¬𝑝.

𝑝 ¬𝑝 𝑝 ∧ ¬𝑝t f ff t f

Corollary, Corollarys A result that follows directly from a theorem.

Direct Proof Given 𝑝 → 𝑞′𝐴𝑠𝑠𝑢𝑚𝑒𝑠𝑡ℎ𝑎𝑡 : 𝑚𝑎𝑡ℎ : ‘𝑝 is true. Uses rules of inference, axioms, and logical equiva-lences to show that 𝑞 must also be true.

Discrete Mathematics A field of mathmatics devoted to the study of discrete (as opposed to continuous) objects.This is in contrast to Calculus which deals with continuous objects.

Discrete Object, Discrete Objects Discrete objects are a set of countable, finite, individual elements.

Disjunction The disjunction of a proposition 𝑝 and 𝑞 is denoted by 𝑝∨ 𝑞. it is often denoted in language by “or” andhas the truth table:

𝑝 𝑞 𝑝 ∧ 𝑞t t tt f tf t tf f f

In english “or” may also mean “exclusive or” which is denoted by 𝑝⊕ 𝑞 and has the truth table:



𝑝 𝑞 𝑝⊕ 𝑞t t ft f tf t tf f f

Disjunctive Normal Form, Disjunctive Normal Forms A propositional formula is in disjunctive normal form ifit consists of a disjunction of (1, 2, ..., 𝑛) disjuncts such that each consists of a conjunction of (1, 2, ..., 𝑚)atomic formulas or the negation of an atomic formula. Or simply the disjunction of conjunctions. Important insome circuit design methods.

Implication The implication of a proposition 𝑝 and 𝑞 is denoted by 𝑝 → 𝑞. it is often denoted in language by “if 𝑝then 𝑞” and has the truth table:

𝑝 𝑞 𝑝 → 𝑞t t tt f ff t tf f t

Lemma, Lemmas A helping theorem or result which is needed to prove a theorem.

Logical Equivalence Two compound propositions 𝑝 and 𝑞 are logically equivalent if 𝑝 ↔ 𝑞 is a tautology. This isusually shown with the notation 𝑝 ⇔ 𝑞 or 𝑝 ≡ 𝑞 where 𝑝 and 𝑞 are compound propositions.

Another way logical equivalence can be proven is using truth tables. Two compound propositions 𝑝 and 𝑞 areequivalent if and only if the columns in a truth table have the same values and are identical.

For example this table shows that ¬𝑝 ∨ 𝑞 is equivalent to 𝑝 → 𝑞:

𝑝 𝑞 ¬𝑝 ¬𝑝 ∨ 𝑞 𝑝 → 𝑞t t f t tt f f f ff t t t tf f t t t

Negation The negation of a proposition 𝑝 is denoted by ¬𝑝 and has the truth table:

𝑝 ¬𝑝t ff t

Nested Quantifier, Nested Quantifiers Often necessary to express the meaning of sentences in English as well asimportant concepts in computer science and mathematics.

Proof, Proofs A valid argument that establishes the truth of a statement.

Proposition, Propositions

1. A declarative sentence that is either true or false and therefore can be assigned a truth value.

2. Less important theorems can be called simply propositions.

Propositional Function, Propositional Functions A generalization of a proposition in the form of a function and avariable such as 𝑃 (𝑥) where the variable is anything within the domain of the funciton. For example “Socratesis a man” could become “𝑥 is a man” written 𝑃 (𝑥) and take the same form when “Socrates” is used as thevariable.

Propositional Satisfiability A proposition is satisfiable if there is some assignment of truth to its parts that can makeit true. Otherwise it is unsatisfiable.

Propositional Unsatisfiability There is no possible assignment of truth values that could make the proposition true.This is the case if and only if its negation is a tautology.



QED (Quod Erat Demonstrandum) Used to denote the end of a proof, quod erat demonstrandum means “which iswhat had to be proven”.

QEF (Quod Erat Faciendum) Slightly different than QED, used ocasionaly to close propositions which are notproofs but constructions, such as how to construct an equilateral triangle. It means “Which had to be done”.

Quantifier, Quantifiers Used to express the words all and some and represented with the symbols ∀ and ∃.

Scalar, Scalars Measurement that has only magnatude.

Speed A scalar measurement.

Tautology, Tautologies A proposition which is always true for example 𝑝 ∨ ¬𝑝.

𝑝 ¬𝑝 𝑝 ∨ ¬𝑝t f tf t t

theorem, theorems A statement that can be shown to be true using rules of inference, axioms, definitions, and othertheorems.

Truth Table, Truth Tables A table listing every possible value for a given proposition or compound propositionalstatement.

Tuple, Tuples A ordered list of numbers.

validity In logic an argument is valid if and only if it takes a form that makes it impossible for all the premises to betrue and the conclusion nevertheless to be false. Note that it is not required for the premises to be true.

Vector, Vectors Measurement that has both magnatude and direction.

1.11 License

GNU GENERAL PUBLIC LICENSEVersion 3, 29 June 2007

Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>Everyone is permitted to copy and distribute verbatim copiesof this license document, but changing it is not allowed.

Preamble

The GNU General Public License is a free, copyleft license forsoftware and other kinds of works.

The licenses for most software and other practical works are designedto take away your freedom to share and change the works. By contrast,the GNU General Public License is intended to guarantee your freedom toshare and change all versions of a program--to make sure it remains freesoftware for all its users. We, the Free Software Foundation, use theGNU General Public License for most of our software; it applies also toany other work released this way by its authors. You can apply it toyour programs, too.

When we speak of free software, we are referring to freedom, notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthem if you wish), that you receive source code or can get it if youwant it, that you can change the software or use pieces of it in new



free programs, and that you know you can do these things.

To protect your rights, we need to prevent others from denying youthese rights or asking you to surrender the rights. Therefore, you havecertain responsibilities if you distribute copies of the software, or ifyou modify it: responsibilities to respect the freedom of others.

For example, if you distribute copies of such a program, whethergratis or for a fee, you must pass on to the recipients the samefreedoms that you received. You must make sure that they, too, receiveor can get the source code. And you must show them these terms so theyknow their rights.

Developers that use the GNU GPL protect your rights with two steps:(1) assert copyright on the software, and (2) offer you this Licensegiving you legal permission to copy, distribute and/or modify it.

For the developers' and authors' protection, the GPL clearly explainsthat there is no warranty for this free software. For both users' andauthors' sake, the GPL requires that modified versions be marked aschanged, so that their problems will not be attributed erroneously toauthors of previous versions.

Some devices are designed to deny users access to install or runmodified versions of the software inside them, although the manufacturercan do so. This is fundamentally incompatible with the aim ofprotecting users' freedom to change the software. The systematicpattern of such abuse occurs in the area of products for individuals touse, which is precisely where it is most unacceptable. Therefore, wehave designed this version of the GPL to prohibit the practice for thoseproducts. If such problems arise substantially in other domains, westand ready to extend this provision to those domains in future versionsof the GPL, as needed to protect the freedom of users.

Finally, every program is threatened constantly by software patents.States should not allow patents to restrict development and use ofsoftware on general-purpose computers, but in those that do, we wish toavoid the special danger that patents applied to a free program couldmake it effectively proprietary. To prevent this, the GPL assures thatpatents cannot be used to render the program non-free.

The precise terms and conditions for copying, distribution andmodification follow.

TERMS AND CONDITIONS

0. Definitions.

"This License" refers to version 3 of the GNU General Public License.

"Copyright" also means copyright-like laws that apply to other kinds ofworks, such as semiconductor masks.

"The Program" refers to any copyrightable work licensed under thisLicense. Each licensee is addressed as "you". "Licensees" and"recipients" may be individuals or organizations.

To "modify" a work means to copy from or adapt all or part of the work

1.11. License 199


in a fashion requiring copyright permission, other than the making of anexact copy. The resulting work is called a "modified version" of theearlier work or a work "based on" the earlier work.

A "covered work" means either the unmodified Program or a work basedon the Program.

To "propagate" a work means to do anything with it that, withoutpermission, would make you directly or secondarily liable forinfringement under applicable copyright law, except executing it on acomputer or modifying a private copy. Propagation includes copying,distribution (with or without modification), making available to thepublic, and in some countries other activities as well.

To "convey" a work means any kind of propagation that enables otherparties to make or receive copies. Mere interaction with a user througha computer network, with no transfer of a copy, is not conveying.

An interactive user interface displays "Appropriate Legal Notices"to the extent that it includes a convenient and prominently visiblefeature that (1) displays an appropriate copyright notice, and (2)tells the user that there is no warranty for the work (except to theextent that warranties are provided), that licensees may convey thework under this License, and how to view a copy of this License. Ifthe interface presents a list of user commands or options, such as amenu, a prominent item in the list meets this criterion.

1. Source Code.

The "source code" for a work means the preferred form of the workfor making modifications to it. "Object code" means any non-sourceform of a work.

A "Standard Interface" means an interface that either is an officialstandard defined by a recognized standards body, or, in the case ofinterfaces specified for a particular programming language, one thatis widely used among developers working in that language.

The "System Libraries" of an executable work include anything, otherthan the work as a whole, that (a) is included in the normal form ofpackaging a Major Component, but which is not part of that MajorComponent, and (b) serves only to enable use of the work with thatMajor Component, or to implement a Standard Interface for which animplementation is available to the public in source code form. A"Major Component", in this context, means a major essential component(kernel, window system, and so on) of the specific operating system(if any) on which the executable work runs, or a compiler used toproduce the work, or an object code interpreter used to run it.

The "Corresponding Source" for a work in object code form means allthe source code needed to generate, install, and (for an executablework) run the object code and to modify the work, including scripts tocontrol those activities. However, it does not include the work'sSystem Libraries, or general-purpose tools or generally available freeprograms which are used unmodified in performing those activities butwhich are not part of the work. For example, Corresponding Sourceincludes interface definition files associated with source files forthe work, and the source code for shared libraries and dynamically



linked subprograms that the work is specifically designed to require,such as by intimate data communication or control flow between thosesubprograms and other parts of the work.

The Corresponding Source need not include anything that userscan regenerate automatically from other parts of the CorrespondingSource.

The Corresponding Source for a work in source code form is thatsame work.

2. Basic Permissions.

All rights granted under this License are granted for the term ofcopyright on the Program, and are irrevocable provided the statedconditions are met. This License explicitly affirms your unlimitedpermission to run the unmodified Program. The output from running acovered work is covered by this License only if the output, given itscontent, constitutes a covered work. This License acknowledges yourrights of fair use or other equivalent, as provided by copyright law.

You may make, run and propagate covered works that you do notconvey, without conditions so long as your license otherwise remainsin force. You may convey covered works to others for the sole purposeof having them make modifications exclusively for you, or provide youwith facilities for running those works, provided that you comply withthe terms of this License in conveying all material for which you donot control copyright. Those thus making or running the covered worksfor you must do so exclusively on your behalf, under your directionand control, on terms that prohibit them from making any copies ofyour copyrighted material outside their relationship with you.

Conveying under any other circumstances is permitted solely underthe conditions stated below. Sublicensing is not allowed; section 10makes it unnecessary.

3. Protecting Users' Legal Rights From Anti-Circumvention Law.

No covered work shall be deemed part of an effective technologicalmeasure under any applicable law fulfilling obligations under article11 of the WIPO copyright treaty adopted on 20 December 1996, orsimilar laws prohibiting or restricting circumvention of suchmeasures.

When you convey a covered work, you waive any legal power to forbidcircumvention of technological measures to the extent such circumventionis effected by exercising rights under this License with respect tothe covered work, and you disclaim any intention to limit operation ormodification of the work as a means of enforcing, against the work'susers, your or third parties' legal rights to forbid circumvention oftechnological measures.

4. Conveying Verbatim Copies.

You may convey verbatim copies of the Program's source code as youreceive it, in any medium, provided that you conspicuously andappropriately publish on each copy an appropriate copyright notice;keep intact all notices stating that this License and any

1.11. License 201


non-permissive terms added in accord with section 7 apply to the code;keep intact all notices of the absence of any warranty; and give allrecipients a copy of this License along with the Program.

You may charge any price or no price for each copy that you convey,and you may offer support or warranty protection for a fee.

5. Conveying Modified Source Versions.

You may convey a work based on the Program, or the modifications toproduce it from the Program, in the form of source code under theterms of section 4, provided that you also meet all of these conditions:

a) The work must carry prominent notices stating that you modifiedit, and giving a relevant date.

b) The work must carry prominent notices stating that it isreleased under this License and any conditions added under section7. This requirement modifies the requirement in section 4 to"keep intact all notices".

c) You must license the entire work, as a whole, under thisLicense to anyone who comes into possession of a copy. ThisLicense will therefore apply, along with any applicable section 7additional terms, to the whole of the work, and all its parts,regardless of how they are packaged. This License gives nopermission to license the work in any other way, but it does notinvalidate such permission if you have separately received it.

d) If the work has interactive user interfaces, each must displayAppropriate Legal Notices; however, if the Program has interactiveinterfaces that do not display Appropriate Legal Notices, yourwork need not make them do so.

A compilation of a covered work with other separate and independentworks, which are not by their nature extensions of the covered work,and which are not combined with it such as to form a larger program,in or on a volume of a storage or distribution medium, is called an"aggregate" if the compilation and its resulting copyright are notused to limit the access or legal rights of the compilation's usersbeyond what the individual works permit. Inclusion of a covered workin an aggregate does not cause this License to apply to the otherparts of the aggregate.

6. Conveying Non-Source Forms.

You may convey a covered work in object code form under the termsof sections 4 and 5, provided that you also convey themachine-readable Corresponding Source under the terms of this License,in one of these ways:

a) Convey the object code in, or embodied in, a physical product(including a physical distribution medium), accompanied by theCorresponding Source fixed on a durable physical mediumcustomarily used for software interchange.

b) Convey the object code in, or embodied in, a physical product(including a physical distribution medium), accompanied by a



written offer, valid for at least three years and valid for aslong as you offer spare parts or customer support for that productmodel, to give anyone who possesses the object code either (1) acopy of the Corresponding Source for all the software in theproduct that is covered by this License, on a durable physicalmedium customarily used for software interchange, for a price nomore than your reasonable cost of physically performing thisconveying of source, or (2) access to copy theCorresponding Source from a network server at no charge.

c) Convey individual copies of the object code with a copy of thewritten offer to provide the Corresponding Source. Thisalternative is allowed only occasionally and noncommercially, andonly if you received the object code with such an offer, in accordwith subsection 6b.

d) Convey the object code by offering access from a designatedplace (gratis or for a charge), and offer equivalent access to theCorresponding Source in the same way through the same place at nofurther charge. You need not require recipients to copy theCorresponding Source along with the object code. If the place tocopy the object code is a network server, the Corresponding Sourcemay be on a different server (operated by you or a third party)that supports equivalent copying facilities, provided you maintainclear directions next to the object code saying where to find theCorresponding Source. Regardless of what server hosts theCorresponding Source, you remain obligated to ensure that it isavailable for as long as needed to satisfy these requirements.

e) Convey the object code using peer-to-peer transmission, providedyou inform other peers where the object code and CorrespondingSource of the work are being offered to the general public at nocharge under subsection 6d.

A separable portion of the object code, whose source code is excludedfrom the Corresponding Source as a System Library, need not beincluded in conveying the object code work.

A "User Product" is either (1) a "consumer product", which means anytangible personal property which is normally used for personal, family,or household purposes, or (2) anything designed or sold for incorporationinto a dwelling. In determining whether a product is a consumer product,doubtful cases shall be resolved in favor of coverage. For a particularproduct received by a particular user, "normally used" refers to atypical or common use of that class of product, regardless of the statusof the particular user or of the way in which the particular useractually uses, or expects or is expected to use, the product. A productis a consumer product regardless of whether the product has substantialcommercial, industrial or non-consumer uses, unless such uses representthe only significant mode of use of the product.

"Installation Information" for a User Product means any methods,procedures, authorization keys, or other information required to installand execute modified versions of a covered work in that User Product froma modified version of its Corresponding Source. The information mustsuffice to ensure that the continued functioning of the modified objectcode is in no case prevented or interfered with solely becausemodification has been made.

1.11. License 203


If you convey an object code work under this section in, or with, orspecifically for use in, a User Product, and the conveying occurs aspart of a transaction in which the right of possession and use of theUser Product is transferred to the recipient in perpetuity or for afixed term (regardless of how the transaction is characterized), theCorresponding Source conveyed under this section must be accompaniedby the Installation Information. But this requirement does not applyif neither you nor any third party retains the ability to installmodified object code on the User Product (for example, the work hasbeen installed in ROM).

The requirement to provide Installation Information does not include arequirement to continue to provide support service, warranty, or updatesfor a work that has been modified or installed by the recipient, or forthe User Product in which it has been modified or installed. Access to anetwork may be denied when the modification itself materially andadversely affects the operation of the network or violates the rules andprotocols for communication across the network.

Corresponding Source conveyed, and Installation Information provided,in accord with this section must be in a format that is publiclydocumented (and with an implementation available to the public insource code form), and must require no special password or key forunpacking, reading or copying.

7. Additional Terms.

"Additional permissions" are terms that supplement the terms of thisLicense by making exceptions from one or more of its conditions.Additional permissions that are applicable to the entire Program shallbe treated as though they were included in this License, to the extentthat they are valid under applicable law. If additional permissionsapply only to part of the Program, that part may be used separatelyunder those permissions, but the entire Program remains governed bythis License without regard to the additional permissions.

When you convey a copy of a covered work, you may at your optionremove any additional permissions from that copy, or from any part ofit. (Additional permissions may be written to require their ownremoval in certain cases when you modify the work.) You may placeadditional permissions on material, added by you to a covered work,for which you have or can give appropriate copyright permission.

Notwithstanding any other provision of this License, for material youadd to a covered work, you may (if authorized by the copyright holders ofthat material) supplement the terms of this License with terms:

a) Disclaiming warranty or limiting liability differently from theterms of sections 15 and 16 of this License; or

b) Requiring preservation of specified reasonable legal notices orauthor attributions in that material or in the Appropriate LegalNotices displayed by works containing it; or

c) Prohibiting misrepresentation of the origin of that material, orrequiring that modified versions of such material be marked inreasonable ways as different from the original version; or



d) Limiting the use for publicity purposes of names of licensors orauthors of the material; or

e) Declining to grant rights under trademark law for use of sometrade names, trademarks, or service marks; or

f) Requiring indemnification of licensors and authors of thatmaterial by anyone who conveys the material (or modified versions ofit) with contractual assumptions of liability to the recipient, forany liability that these contractual assumptions directly impose onthose licensors and authors.

All other non-permissive additional terms are considered "furtherrestrictions" within the meaning of section 10. If the Program as youreceived it, or any part of it, contains a notice stating that it isgoverned by this License along with a term that is a furtherrestriction, you may remove that term. If a license document containsa further restriction but permits relicensing or conveying under thisLicense, you may add to a covered work material governed by the termsof that license document, provided that the further restriction doesnot survive such relicensing or conveying.

If you add terms to a covered work in accord with this section, youmust place, in the relevant source files, a statement of theadditional terms that apply to those files, or a notice indicatingwhere to find the applicable terms.

Additional terms, permissive or non-permissive, may be stated in theform of a separately written license, or stated as exceptions;the above requirements apply either way.

8. Termination.

You may not propagate or modify a covered work except as expresslyprovided under this License. Any attempt otherwise to propagate ormodify it is void, and will automatically terminate your rights underthis License (including any patent licenses granted under the thirdparagraph of section 11).

However, if you cease all violation of this License, then yourlicense from a particular copyright holder is reinstated (a)provisionally, unless and until the copyright holder explicitly andfinally terminates your license, and (b) permanently, if the copyrightholder fails to notify you of the violation by some reasonable meansprior to 60 days after the cessation.

Moreover, your license from a particular copyright holder isreinstated permanently if the copyright holder notifies you of theviolation by some reasonable means, this is the first time you havereceived notice of violation of this License (for any work) from thatcopyright holder, and you cure the violation prior to 30 days afteryour receipt of the notice.

Termination of your rights under this section does not terminate thelicenses of parties who have received copies or rights from you underthis License. If your rights have been terminated and not permanentlyreinstated, you do not qualify to receive new licenses for the samematerial under section 10.

1.11. License 205


9. Acceptance Not Required for Having Copies.

You are not required to accept this License in order to receive orrun a copy of the Program. Ancillary propagation of a covered workoccurring solely as a consequence of using peer-to-peer transmissionto receive a copy likewise does not require acceptance. However,nothing other than this License grants you permission to propagate ormodify any covered work. These actions infringe copyright if you donot accept this License. Therefore, by modifying or propagating acovered work, you indicate your acceptance of this License to do so.

10. Automatic Licensing of Downstream Recipients.

Each time you convey a covered work, the recipient automaticallyreceives a license from the original licensors, to run, modify andpropagate that work, subject to this License. You are not responsiblefor enforcing compliance by third parties with this License.

An "entity transaction" is a transaction transferring control of anorganization, or substantially all assets of one, or subdividing anorganization, or merging organizations. If propagation of a coveredwork results from an entity transaction, each party to thattransaction who receives a copy of the work also receives whateverlicenses to the work the party's predecessor in interest had or couldgive under the previous paragraph, plus a right to possession of theCorresponding Source of the work from the predecessor in interest, ifthe predecessor has it or can get it with reasonable efforts.

You may not impose any further restrictions on the exercise of therights granted or affirmed under this License. For example, you maynot impose a license fee, royalty, or other charge for exercise ofrights granted under this License, and you may not initiate litigation(including a cross-claim or counterclaim in a lawsuit) alleging thatany patent claim is infringed by making, using, selling, offering forsale, or importing the Program or any portion of it.

11. Patents.

A "contributor" is a copyright holder who authorizes use under thisLicense of the Program or a work on which the Program is based. Thework thus licensed is called the contributor's "contributor version".

A contributor's "essential patent claims" are all patent claimsowned or controlled by the contributor, whether already acquired orhereafter acquired, that would be infringed by some manner, permittedby this License, of making, using, or selling its contributor version,but do not include claims that would be infringed only as aconsequence of further modification of the contributor version. Forpurposes of this definition, "control" includes the right to grantpatent sublicenses in a manner consistent with the requirements ofthis License.

Each contributor grants you a non-exclusive, worldwide, royalty-freepatent license under the contributor's essential patent claims, tomake, use, sell, offer for sale, import and otherwise run, modify andpropagate the contents of its contributor version.

In the following three paragraphs, a "patent license" is any express



agreement or commitment, however denominated, not to enforce a patent(such as an express permission to practice a patent or covenant not tosue for patent infringement). To "grant" such a patent license to aparty means to make such an agreement or commitment not to enforce apatent against the party.

If you convey a covered work, knowingly relying on a patent license,and the Corresponding Source of the work is not available for anyoneto copy, free of charge and under the terms of this License, through apublicly available network server or other readily accessible means,then you must either (1) cause the Corresponding Source to be soavailable, or (2) arrange to deprive yourself of the benefit of thepatent license for this particular work, or (3) arrange, in a mannerconsistent with the requirements of this License, to extend the patentlicense to downstream recipients. "Knowingly relying" means you haveactual knowledge that, but for the patent license, your conveying thecovered work in a country, or your recipient's use of the covered workin a country, would infringe one or more identifiable patents in thatcountry that you have reason to believe are valid.

If, pursuant to or in connection with a single transaction orarrangement, you convey, or propagate by procuring conveyance of, acovered work, and grant a patent license to some of the partiesreceiving the covered work authorizing them to use, propagate, modifyor convey a specific copy of the covered work, then the patent licenseyou grant is automatically extended to all recipients of the coveredwork and works based on it.

A patent license is "discriminatory" if it does not include withinthe scope of its coverage, prohibits the exercise of, or isconditioned on the non-exercise of one or more of the rights that arespecifically granted under this License. You may not convey a coveredwork if you are a party to an arrangement with a third party that isin the business of distributing software, under which you make paymentto the third party based on the extent of your activity of conveyingthe work, and under which the third party grants, to any of theparties who would receive the covered work from you, a discriminatorypatent license (a) in connection with copies of the covered workconveyed by you (or copies made from those copies), or (b) primarilyfor and in connection with specific products or compilations thatcontain the covered work, unless you entered into that arrangement,or that patent license was granted, prior to 28 March 2007.

Nothing in this License shall be construed as excluding or limitingany implied license or other defenses to infringement that mayotherwise be available to you under applicable patent law.

12. No Surrender of Others' Freedom.

If conditions are imposed on you (whether by court order, agreement orotherwise) that contradict the conditions of this License, they do notexcuse you from the conditions of this License. If you cannot convey acovered work so as to satisfy simultaneously your obligations under thisLicense and any other pertinent obligations, then as a consequence you maynot convey it at all. For example, if you agree to terms that obligate youto collect a royalty for further conveying from those to whom you conveythe Program, the only way you could satisfy both those terms and thisLicense would be to refrain entirely from conveying the Program.

1.11. License 207


13. Use with the GNU Affero General Public License.

Notwithstanding any other provision of this License, you havepermission to link or combine any covered work with a work licensedunder version 3 of the GNU Affero General Public License into a singlecombined work, and to convey the resulting work. The terms of thisLicense will continue to apply to the part which is the covered work,but the special requirements of the GNU Affero General Public License,section 13, concerning interaction through a network will apply to thecombination as such.

14. Revised Versions of this License.

The Free Software Foundation may publish revised and/or new versions ofthe GNU General Public License from time to time. Such new versions willbe similar in spirit to the present version, but may differ in detail toaddress new problems or concerns.

Each version is given a distinguishing version number. If theProgram specifies that a certain numbered version of the GNU GeneralPublic License "or any later version" applies to it, you have theoption of following the terms and conditions either of that numberedversion or of any later version published by the Free SoftwareFoundation. If the Program does not specify a version number of theGNU General Public License, you may choose any version ever publishedby the Free Software Foundation.

If the Program specifies that a proxy can decide which futureversions of the GNU General Public License can be used, that proxy'spublic statement of acceptance of a version permanently authorizes youto choose that version for the Program.

Later license versions may give you additional or differentpermissions. However, no additional obligations are imposed on anyauthor or copyright holder as a result of your choosing to follow alater version.

15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BYAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHTHOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTYOF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAMIS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OFALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITINGWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYSTHE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANYGENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THEUSE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OFDATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRDPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF



SUCH DAMAGES.

17. Interpretation of Sections 15 and 16.

If the disclaimer of warranty and limitation of liability providedabove cannot be given local legal effect according to their terms,reviewing courts shall apply local law that most closely approximatesan absolute waiver of all civil liability in connection with theProgram, unless a warranty or assumption of liability accompanies acopy of the Program in return for a fee.

END OF TERMS AND CONDITIONS

1.12 Developers

• Derek Goddeau <[email protected]>

1.13 Changelog

1.13.1 Version 0.0a0

• Debian Encrypted RAID LVM setup

1.14 rtfm

1.14.1 rtfm package

Submodules

rtfm.alpha module

Ragged array like data structure demonstration with objects.

class rtfm.alpha.Alpha(i)Bases: object

Simple container for demonstration, could be anything that would be stored in a ragged array.

valueint

Just a value to differentiate between Alpha classes.

__str__()__str__ defines the classes value when printed with the print() function.

Returns String representation Alpha.

Return type (str)

1.12. Developers 209

mailto:[email protected]

http://docs.python.org/3.4/library/functions.html#object


class rtfm.alpha.BetaBases: object

A simple container for Alpha objects.

alpha_list[Alpha]

A list of Alpha objects.


Returns List of Alpha objects.

Return type (str)

add_alpha(alpha)Appends an Alpha object onto the end of a list.

Parameters alpha (Alpha) – A Alpha object.

class rtfm.alpha.Gamma(i)Bases: object

A list of Beta objects, which is a list of alpha objects. A list of lists, similar to a 2-D array structure or matrix.

beta_list[Beta]

A list of Beta objects.


Returns List of Beta objects one per line.

Return type (str)

add_alpha(alpha, i)Appends an Alpha object onto the end of a list.

Parameters

• alpha (Alpha) – A Alpha object.

• i (int) – index of Beta the alpha is to be inserted into.

add_beta(beta)Appends an empty Beta object onto the end of the list.

Parameters beta (Beta) – A Beta object.

rtfm.alpha_test module

rtfm.catalan module

Simple iterator demonstration.

Catalan represents the infinite list of Catalan numbers, outputs the list of Catalan numbers less than n.




http://docs.python.org/3.4/library/functions.html#int


Example

>>> for n in Catalan(100):... print(n, end=' ')...1 1 2 5 14 42>>> catalans = []>>> for n in Catalan(1000):... catalans.append(n)...>>> catalans[1, 1, 2, 5, 14, 42, 132, 429]>>> import math>>> catalan = Catalan(float("inf"))>>> for x in range(14):... print(next(catalan), end=' ')...1 1 2 5 14 42 132 429 1430 4862 16796 58786 208012 742900

class rtfm.catalan.Catalan(n)Bases: object

The set of Catalan numbers defined recursivly as:

𝐶𝑛+1 = 𝐶0𝐶𝑛 + 𝐶1𝐶𝑛−1 + ... + 𝐶𝑛𝐶0

nint

Calculate catalans less than n.

__iter__()An object is not iterable unless it provides __iter__().

Returns Iterable Catalan object.

Return type (self)

__next__()For an object to be a valid iterator, it must provide __next__().

Returns The next iterable.

Return type (Iterable)

rtfm.skeleton module

This is a skeleton file.

rtfm.skeleton.fib(n)Fibonacci example function

Parameters n – integer

Returns n-th Fibonacci number

rtfm.skeleton.main(args)

rtfm.skeleton.parse_args(args)Parse command line parameters

1.14. rtfm 211



Parameters args – command line parameters as list of strings

Returns command line parameters as airgparse.Namespace

rtfm.skeleton.run()

rtfm.tcp_client module

A simple TCP client Generaly when pentesting these issues are ignored in quick and dirty scripts.

Assumptions:

1. The connection will always succeed

2. The server is always expecting to recieve data first

3. The server will always send data back in a timely fassion

rtfm.tcp_client.main()

rtfm.tcp_server module

A simple TCP server.

rtfm.tcp_server.handle_client(client_socket)The client-handling thread.

rtfm.tcp_server.main()

Module contents


CHAPTER 2

Indices and tables

• genindex

• modindex

• search

213


214 Chapter 2. Indices and tables

Python Module Index

rrtfm, 212rtfm.alpha, 209rtfm.catalan, 210rtfm.skeleton, 211rtfm.tcp_client, 212rtfm.tcp_server, 212

215


216 Python Module Index

Index

Symbols__iter__() (rtfm.catalan.Catalan method), 211__next__() (rtfm.catalan.Catalan method), 211__str__() (rtfm.alpha.Alpha method), 209__str__() (rtfm.alpha.Beta method), 210__str__() (rtfm.alpha.Gamma method), 210

AA-B-C Rule, 163Abstraction, 163Acceptance Test, 163Acceptance Tests, 163Access Control, 115Access Controls, 115Accountability, 115Active Attack, 115Active Attacks, 115Actor, 163Actors, 163add_alpha() (rtfm.alpha.Beta method), 210add_alpha() (rtfm.alpha.Gamma method), 210add_beta() (rtfm.alpha.Gamma method), 210Address Resolution Protocol, 115Adware, 115Alpha (class in rtfm.alpha), 209alpha_list (rtfm.alpha.Beta attribute), 210Analysis Model, 163ARP, 115ARP Cache Poisoning, 115ARP Poison Routing, 115ARP Poisoning, 117ARP Spoofing, 117Authentication, 117Authentication Cookie, 117Authentication Cookies, 117Authentication Exchange, 117Authenticity, 117Auto-Rooter, 117Auto-Rooters, 117Availability, 117

axiom, 195axioms, 195

BBackdoor, 117Backdoors, 117Beta (class in rtfm.alpha), 209beta_list (rtfm.alpha.Gamma attribute), 210Biconditional, 196Boot Sector Infector, 117Bot, 117Buffer Overflow, 117

CCache Poisoning, 117Catalan (class in rtfm.catalan), 211Checksum, 117Checksums, 117CIA Triad, 117Clandestine User, 117Classification Problem, 177Complete Packet Inspection, 117Computer Security, 117Confidentiality, 117Conjecture, 196Conjectures, 196Conjunction, 196Conjunctive Normal Form, 196Conjunctive Normal Forms, 196Connection Confidentiality, 117Connection Integrity with Recovery, 117Connection Integrity without Recovery, 117Connectionless Confidentiality, 117Connectionless Integrity, 117Consistent System Specifications, 196Contingencies, 196Contingency, 196Contradiction, 196Contradictions, 196Cookie, 117Cookies, 117

217


Core Network, 121Corollary, 196Corollarys, 196Cracker, 118Cross Site Request Forgery, 118Cross Site Scripting, 118CSRF, 118Curse of Dimensionality, 177

DData Confidentiality, 118Data Integrity, 118Data-Origin Authentication, 118DDoS Attack, 118Deep Copy, 163Deep Packet Inspection, 118Denial of Service, 118Design Model, 163Detection Specific Audit Record, 118Detection Specific Audit Records, 118DHCP, 118Dictionary Attack, 118Digital Signature, 118Digital Subscriber Line, 118Direct Proof, 196Discrete Mathematics, 196Discrete Object, 196Discrete Objects, 196Disjunction, 196Disjunctive Normal Form, 197Disjunctive Normal Forms, 197Distributed Denial-of-service Attack, 118DNS, 118DNS Cache Poisoning, 118DNS Spoofing, 118Domain Model, 164Domain Name System, 118DOS, 118Downloader, 118Downloaders, 118DPI, 118DSL, 119Dynamic Host Configuration Protocol, 119

EEncipherment, 119Encrypted Virus, 119End System, 119Event Detection, 119Exploit, 119Exploits, 119

Ffib() (in module rtfm.skeleton), 211

File Infector, 119Flooder, 119Flooders, 119Format String Attack, 119

GGamma (class in rtfm.alpha), 210Global ISP, 119Global ISPs, 119

HHacker, 119Hackers On Planet Earth, 119handle_client() (in module rtfm.tcp_server), 212Hash, 119Hashes, 119Heap Overflow, 119HOPE, 119HTTP, 119HTTP Only Cookie, 119HTTP Only Cookies, 119HTTP Response Splitting, 120HTTPS, 120Hypertext Transfer Protocol, 120

IICMP, 120Idle Scan, 120Implication, 197Independence, 87Infection Mechanism, 120Infection Vector, 120Information Security, 120InfoSec, 120Initialization Vector, 87Initialization Vectors, 87Inormation eXtraction, 120Integration Test, 164Integration Tests, 164Integrity, 120Internet Backbone, 120Internet Service Provider, 120IP Address Spoofing, 120IP Broadcast Address, 120ISP, 120ISPs, 120ITU-T, 120IV, 87IX, 120

KKeylogger, 120Keyloggers, 120Kit, 120

218 Index


Kits, 120

LLAN, 120LANs, 120Least Privilege, 120Lemma, 197Lemmas, 197Logic Bomb, 120Logic Bombs, 120Logical Equivalence, 197

MMAC Address, 120, 121MAC Addresses, 121Machine Learning, 177Macro Virus, 121Macro Viruses, 121main() (in module rtfm.skeleton), 211main() (in module rtfm.tcp_client), 212main() (in module rtfm.tcp_server), 212Malware, 121Man in the Middle, 121Masquerade, 121Masquerader, 121Metamorphic Virus, 121Misfeasor, 121Mixin, 164Mixins, 164Mobile Code, 121Multipartite Virus, 121

Nn (rtfm.catalan.Catalan attribute), 211Native Audit Record, 121Native Audit Records, 121Negation, 197Neighborhood, 178Nested Quantifier, 197Nested Quantifiers, 197Network Core, 121Network Security, 121Neural Network, 178Neural Networks, 178nmap, 121Node, 121Non-repudiation, 121Non-repudiation Destination, 121Non-repudiation Origin, 121nonce, 87Nonrepudiation with proof of delivery, 121Nonrepudiation with proof of origin, 121Notarization, 121

OOpen Systems Interconnection, 121Open Systems Interconnection Layer, 121Open Systems Interconnection Model, 121OSI, 121OSI Layer, 121OSI Model, 122OSI Security Architecture (Open Systems Interconnec-

tion Security Architecture, 122

PPair Programming, 164parse_args() (in module rtfm.skeleton), 211Passive Attack, 122Passive Attacks, 122Payload, 122PDN, 122PDU, 122Peer Entity Authentication, 122Persistent Cookie, 122Persistent Cookies, 122Pervasive Security Mechanisms, 122Phishing, 122Physical Address, 122Pivot, 122Pivoting, 122Polymorphic Virus, 122Port, 122Port Scanner, 122Ports, 122Preimage, 87Privacy, 122Profile Based Detection, 122Proof, 197Proofs, 197Proposition, 197Propositional Function, 197Propositional Functions, 197Propositional Satisfiability, 197Propositional Unsatisfiability, 197Propositions, 197Protocol, 122Protocol Data Unit, 122Protocols, 122PSTN, 122Public Data Network, 122Public Switched Telephone Network, 122

QQED, 198QEF, 198Quantifier, 198Quantifiers, 198

Index 219


RRainbow Table, 122Rainbow Tables, 122Ransomware, 122Regional ISP, 122Regional ISPs, 122Regression Function, 178Regression Problem, 178Regression Test, 164Regression Tests, 164Release of message contents, 123Replay Attack, 123RFC

RFC 1392, 119RFC 2390, 115RFC 2828, 101, 117, 118, 120–125RFC 4987, 112RFC 5227, 115RFC 7465, 20RFC 826, 115RFC 903, 115

Root DNS Server, 123Root DNS Servers, 123Root Name Server, 123Root Name Servers, 123Rootkit, 123Rootkits, 123Routing Control, 123rtfm (module), 212rtfm.alpha (module), 209rtfm.catalan (module), 210rtfm.skeleton (module), 211rtfm.tcp_client (module), 212rtfm.tcp_server (module), 212Rule Based Anomaly Detection, 123Rule Based Detection, 123Rule Based Penetration Identification, 123run() (in module rtfm.skeleton), 212

SSalt, 123Salts, 123Scalar, 198Scalars, 198Script Kiddie, 123Script Kiddies, 123SDU, 123Secure Cookie, 123Secure Cookies, 123Secure Socket Layer, 87Security Attack, 124Security Attacks, 124Security Audit Trail, 124Security Label, 124

Security Mechanism, 124Security Mechanisms, 124Security Recovery, 124Security Requirements Triad, 124Security Service, 124Security Services, 124Selective-Field Confidentiality, 124Selective-Field Connection Integrity, 124Selective-Field Connectionless Integrity, 124Server, 164Servers, 164Service Data Unit, 124Session Cookie, 124Session Cookies, 124Session Fixation, 124Session Hijacking, 124Session ID, 124Shallow Copy, 164Short Message Service, 124Signature Detection, 124SMS, 124Smurf Attack, 124Social Engineering, 124Source Routing Attack, 124Source Routing Attacks, 124Spammer Program, 124Spammer Programs, 124Specific Security Mechanisms, 125Speed, 198Spyware, 125SQL Injection, 125SSL, 87Statistical Anomaly Detection, 125Statistical Learning, 178Stealth Virus, 125Steve Rambam, 125Subnet, 125Subnets, 125Subnetwork, 125Subnetworks, 125Supercookie, 125Supercookies, 125System Integrity, 125System Test, 164System Tests, 164

TTautologies, 198Tautology, 198TCP, 125The International Telecommunication Union - Telecom-

munication Standardization Sector, 125theorem, 198theorems, 198

220 Index


Third-Party Cookie, 125Third-Party Cookies, 125Third-Party Tracking Cookie, 125Third-Party Tracking Cookies, 125Threshold Detection, 125Tiny Fragment Attack, 125Tiny Fragment Attacks, 125TLS, 87TOI, 164Tor, 125Traffic Analysis, 125Traffic Padding, 125Traffic-Flow Confidentiality, 125Transmission Control Protocol, 126Transport Layer Security, 88Trigger, 126Trojan Horse, 126Trusted Functionality, 126Truth Table, 198Truth Tables, 198Tuple, 198Tuples, 198

UUDP, 126Uniform Distribution, 88Unit Test, 164Unit Tests, 164Up Time, 126User Datagram Protocol, 126

Vvalidity, 198value (rtfm.alpha.Alpha attribute), 209Vector, 198Vectors, 198Virus, 126Virus Generator, 126Virus Generators, 126VLAN Hopping, 126

WWardriving, 126Web Cookie, 126Web Cookies, 126Wiretapping, 126Worm, 126Worms, 126

XX.800, 126XSRF, 126XSS, 126XXS, 126

ZZombie, 126Zombie Cookie, 126Zombie Cookies, 126

Index 221

rtfm Documentation · CHAPTER 1 Contents 1.1Python 1.1.1Setting up a new Python project date 18...

Documents

Transcript of rtfm Documentation · CHAPTER 1 Contents 1.1Python 1.1.1Setting up a new Python project date 18...